The platform validation error message appears as displayed in the following image.
This is one stop global knowledge base where you can learn about all the products, solutions and support features.
Product Release Date: 2022-07-25
Last updated: 2022-12-14
This Security Guide is intended for security-minded people responsible for architecting, managing, and supporting infrastructures, especially those who want to address security without adding more human resources or additional processes to their datacenters.
This guide offers an overview of the security development life cycle (SecDL) and host of security features supported by Nutanix. It also demonstrates how Nutanix complies with security regulations to streamline infrastructure security management. In addition to this, this guide addresses the technical requirements that are site specific or compliance-standards (that should be adhered), which are not enabled by default.
Hardening of the guest OS or any applications running on top of the Nutanix infrastructure is beyond the scope of this guide. We recommend that you refer to the documentation of the products that you have deployed in your Nutanix environment.
Nutanix takes a holistic approach to security with a secure platform, extensive automation, and a robust partner ecosystem. The Nutanix security development life cycle (SecDL) integrates security into every step of product development, rather than applying it as an afterthought. The SecDL is a foundational part of product design. The strong pervasive culture and processes built around security harden the Enterprise Cloud Platform and eliminate zero-day vulnerabilities. Efficient one-click operations and self-healing security models easily enable automation to maintain security in an always-on hyperconverged solution.
Since traditional manual configuration and checks cannot keep up with the ever-growing list of security requirements, Nutanix conforms to RHEL 7 Security Technical Implementation Guides (STIGs) that use machine-readable code to automate compliance against rigorous common standards. With Nutanix Security Configuration Management Automation (SCMA), you can quickly and continually assess and remediate your platform to ensure that it meets or exceeds all regulatory requirements.
Nutanix has standardized the security profile of the Controller VM to a security compliance baseline that meets or exceeds the standard high-governance requirements.
The most commonly used references in United States to guide vendors to build products according to the set of technical requirements are as follows.
The Nutanix platform and all products leverage the Security Configuration Management Automation (SCMA) framework to ensure that services are constantly inspected for variance to the security policy.
Nutanix has implemented security configuration management automation (SCMA) to check multiple security entities for both Nutanix storage and AHV. Nutanix automatically reports log inconsistencies and reverts them to the baseline.
Nutanix leverages SaltStack and SCMA to self-heal any deviation from the security baseline configuration of the operating system and hypervisor to remain in compliance. If any component is found as non-compliant, then the component is set back to the supported security settings without any intervention. To achieve this objective, Nutanix has implemented the Controller VM to support STIG compliance with the RHEL 7 STIG as published by DISA.
The STIG rules are capable of securing the boot loader, packages, file system, booting and service control, file ownership, authentication, kernel, and logging.
Prohibit direct
root
login, lock system accounts other than
root
, enforce several password maintenance details, cautiously configure
SSH, enable screen-locking, configure user shell defaults, and display warning banners.
Nutanix provides continuous fixes and updates to address threats and vulnerabilities. Nutanix Security Advisories provide detailed information on the available security fixes and updates, including the vulnerability description and affected product/version.
To see the list of security advisories or search for a specific advisory, log on to the Support Portal and select Documentation , and then Security Advisories .
This topic provides highlights on Nutanix security landscape and its highlights. The following table helps to identify the security features offered out-of-the-box in Nutanix infrastructure.
Topic | Highlights |
---|---|
Authentication and Authorization |
|
Network segmentation | VLAN-based, data driven segmentation |
Security Policy Management | Implement security policies using Microsegmentation. |
Data security and integrity |
|
Hardening Instructions | |
Log monitoring and analysis |
|
Flow Networking |
See Flow Networking Guide |
UEFI |
See UEFI Support for VMs in the AHV Administration Guide |
Secure Boot |
See Secure Boot Support for VMs in the AHV Administration Guide |
Windows Credential Guard support |
See Windows Defender Credential Guard Support in AHV in the AHV Administration Guide |
RBAC |
This chapter describes how to implement security hardening features for Nutanix AHV and Controller VM.
You can use Nutanix Command Line Interface (nCLI) in order to customize the various configuration settings related to AHV as described below.
Description | Command or Settings | Output |
---|---|---|
Getting the cluster-wide configuration of the SCMA policy. |
Run the following
command:
|
Enable Aide : false Enable Core : false Enable High Strength P... : false Enable Banner : false Schedule : DAILY |
Enabling the Advanced Intrusion Detection Environment (AIDE) to run on a weekly basis. |
Run the following
command:
|
Enable Aide : true Enable Core : false Enable High Strength P... : false Enable Banner : false Schedule : DAILY |
Enabling the high-strength password policies (minlen=15, difok=8, maxclassrepeat=4). |
Run the following
command:
|
Enable Aide : true Enable Core : false Enable High Strength P... : true Enable Banner : false Schedule : DAILY |
Enabling the defense knowledge consent banner of the US department. |
Run the following command:
|
Enable Aide : true Enable Core : false Enable High Strength P... : true Enable Banner : true Schedule : DAILY |
Changing the default schedule of running the SCMA. The schedule can be hourly, daily, weekly, and monthly. |
Run the following
command:
|
Enable Aide : true Enable Core : false Enable High Strength P... : true Enable Banner : true Schedule : HOURLY |
Enabling the settings so that AHV can generate stack traces for any cluster issue. |
Run the following
command:
Note:
Nutanix
recommends that Core should not be set to true unless instructed by the Nutanix
support team.
|
Enable Aide : true Enable Core : true Enable High Strength P... : true Enable Banner : true Schedule : HOURLY |
Configuring security levels for the nutanix user for ssh login to the Nutanix Cluster. |
Run the following
command:
|
|
Enabling locking of the security configuration. |
Run the following
command:
|
|
When a high governance official needs to run the hardened configuration. |
The settings should be as
follows:
Enable Aide : true Enable Core : false Enable High Strength P... : true Enable Banner : false Enable SNMPv3 Only : true Schedule : HOURLY Enable Kernel Mitigations : false SSH Security Level : LIMITED Enable Lock Status : true Enable Kernel Core : true |
|
When a federal official needs to run the hardened configuration. |
The settings should be as
follows:
Enable Aide : true Enable Core : false Enable High Strength P... : true Enable Banner : true Enable SNMPv3 Only : true Schedule : HOURLY Enable Kernel Mitigations : false SSH Security Level : LIMITED Enable Lock Status : true Enable Kernel Core : true
Note:
A
banner file can be modified to support non-DoD customer banners.
|
|
Backing up the DoD banner file. |
Run the following command on the AHV
host:
Important:
Any
changes in the banner file are not preserved across upgrades.
|
|
Modifying the DoD banner file. |
Run the following command on the AHV
host:
Note:
Repeat
all the above steps on every AHV in a cluster.
Important:
Any
changes in the banner file are not preserved across upgrades.
|
|
Setting the banner for all nodes through nCLI. |
Run the following
command:
|
The following options are configured or customized to harden the AHV:
aide -–init
command as a root user. You can move the
database to a secure location in a read-only media or on other machines. After you create
the database, you can use the
aide -–check
command for the system to
check the integrity of the files and directories by comparing the files and directories on
your system with the snapshot in the database. In case there are unexpected changes, a
report gets generated, which you can review. If the changes to existing files or files
added are valid, you can use the
aide --update
command to update the
database with the new changes.
You can use Nutanix Command Line Interface (nCLI) in order to customize the various configuration settings related to the Controller VM as described below.
For the complete list of cluster security parameters, see Edit the security params of a Cluster in the Command Reference guide.
Run the following command to support cluster-wide configuration of the SCMA policy.
nutanix@cvm$ ncli cluster get-cvm-security-config
The current cluster configuration is displayed.
Enable Aide : false Enable Core : false Enable High Strength P... : false Enable Banner : false Enable SNMPv3 Only : false Schedule : DAILY Enable Kernel Mitigations : false SSH Security Level : DEFAULT Enable Lock Status : false Enable Kernel Core : false
Run the following command to schedule weekly execution of Advanced Intrusion Detection Environment (AIDE).
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-aide=true
The following output is displayed.
Enable Aide : true Enable Core : false Enable High Strength P... : false Enable Banner : false Enable SNMPv3 Only : false Schedule : DAILY Enable Kernel Mitigations : false SSH Security Level : DEFAULT Enable Lock Status : false Enable Kernel Core : false
Run the following command to enable the strong password policy.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-high-strength-password=true
The following output is displayed.
Enable Aide : true Enable Core : false Enable High Strength P... : true Enable Banner : false Enable SNMPv3 Only : false Schedule : DAILY Enable Kernel Mitigations : false SSH Security Level : DEFAULT Enable Lock Status : false Enable Kernel Core : false
Run the following command to enable the defense knowledge consent banner of the US department.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-banner=true
The following output is displayed.
Enable Aide : true Enable Core : false Enable High Strength P... : true Enable Banner : true Enable SNMPv3 Only : false Schedule : DAILY Enable Kernel Mitigations : false SSH Security Level : DEFAULT Enable Lock Status : false Enable Kernel Core : false
Run the following command to enable the settings to allow only SNMP version 3.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-snmpv3-only=true
The following output is displayed.
Enable Aide : true Enable Core : false Enable High Strength P... : true Enable Banner : true Enable SNMPv3 Only : true Schedule : DAILY Enable Kernel Mitigations : false SSH Security Level : DEFAULT Enable Lock Status : false Enable Kernel Core : false
Run the following command to change the default schedule of running the SCMA. The schedule can be hourly, daily, weekly, and monthly.
nutanix@cvm$ ncli cluster edit-cvm-security-params schedule=hourly
The following output is displayed.
Enable Aide : true Enable Core : false Enable High Strength P... : true Enable Banner : true Enable SNMPv3 Only : true Schedule : HOURLY Enable Kernel Mitigations : false SSH Security Level : DEFAULT Enable Lock Status : false Enable Kernel Core : false
Run the following command to enable the settings so that Controller VM can generate stack traces for any cluster issue.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-core=true
The following output is displayed.
Enable Aide : true Enable Core : false Enable High Strength P... : true Enable Banner : true Enable SNMPv3 Only : true Schedule : HOURLY Enable Kernel Mitigations : false SSH Security Level : DEFAULT Enable Lock Status : false Enable Kernel Core : true
Run the following command to configure security levels for the nutanix user for ssh login to the Nutanix Cluster.
nutanix@cvm$ ncli cluster edit-cvm-security-params ssh-security-level=limited
The following output is displayed.
Enable Aide : true Enable Core : false Enable High Strength P... : true Enable Banner : true Enable SNMPv3 Only : true Schedule : HOURLY Enable Kernel Mitigations : false SSH Security Level : LIMITED Enable Lock Status : true Enable Kernel Core : true
Run the following command to enable to locking of the security configuration.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-lock-status=true
The following output is displayed.
Enable Aide : true Enable Core : false Enable High Strength P... : true Enable Banner : true Enable SNMPv3 Only : true Schedule : HOURLY Enable Kernel Mitigations : false SSH Security Level : LIMITED Enable Lock Status : true Enable Kernel Core : true
When a high governance official needs to run the hardened configuration then the settings should be as follows.
Enable Aide : true Enable Core : false Enable High Strength P... : true Enable Banner : false Enable SNMPv3 Only : true Schedule : HOURLY Enable Kernel Mitigations : false SSH Security Level : LIMITED Enable Lock Status : true Enable Kernel Core : true
When a federal official needs to run the hardened configuration then the settings should be as follows.
Enable Aide : true Enable Core : false Enable High Strength P... : true Enable Banner : true Enable SNMPv3 Only : true Schedule : HOURLY Enable Kernel Mitigations : false SSH Security Level : LIMITED Enable Lock Status : true Enable Kernel Core : true
Run the following command to backup the DoD banner file.
nutanix@cvm$ sudo cp -a /srv/salt/security/CVM/sshd/DODbanner \
/srv/salt/security/CVM/sshd/DODbannerbak
Run the following command to modify DoD banner file.
nutanix@cvm$ sudo vi /srv/salt/security/CVM/sshd/DODbanner
Run the following command to backup the DoD banner file of the Prism Central VM.
nutanix@pcvm$ sudo cp -a /srv/salt/security/PC/sshd/DODbanner \
/srv/salt/security/PC/sshd/DODbannerbak
Run the following command to modify DoD banner file of the Prism Central VM.
nutanix@pcvm$ sudo vi /srv/salt/security/PC/sshd/DODbanner
Run the following command to set the banner for all nodes through nCLI.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-banner=true
Nutanix Controller VM uses the tcp_wrappers package to allow TCP supported daemons to control the network subnets which can access the libwrapped daemons. By default, SCMA controls the /etc/hosts.allow file in /srv/salt/security/CVM/network/hosts.allow and contains a generic entry to allow access to NFS, secure shell, and SNMP.
sshd: ALL : ALLOW
rpcbind: ALL : ALLOW
snmpd: ALL : ALLOW
snmptrapd: ALL : ALLOW
Nutanix recommends that the above configuration is changed to include only the localhost entries and the management network subnet for the restricted operations; this applies to both production and high governance compliance environments. This ensures that all subnets used to communicate with the CVMs are included in the /etc/hosts.allow file.
AHV vTPM provides virtualization-based security support for the following primary use cases.
Supported Software Versions:
VM Requirements:
You can create a virtual machine with the vTPM configuration enabled using the following aCLI procedure.
acli
to enter the Acropolis CLI
mode.
Create a VM using aCLI. You can enable vTPM at the time of creating a VM. To enable vTPM during VM creation, do the following and proceed to step 5 (skip step 4 ).
Use the "vm.create" command with required arguments to create a VM. For details on VM creation command ("vm.create") and supported arguments using aCLI, see "vm" in the Command Reference Guide.
acli> vm.create <vm-name> machine_type=q35 uefi_boot=true secure_boot=true virtual_tpm=true <argument(s)>
Replace <vm-name> with the name of the VM and <argument(s)> with one or more arguments as needed for your VM.
acli> vm.update <vm-name> virtual_tpm=true
In the above command, replace "<vm-name>" with name of the newly created VM.
acli> vm.on <vm-name>
You can update the settings of an existing virtual machine (that satisfies vTPM requirements) to enable vTPM using the following aCLI procedure.
acli
to enter the acropolis CLI
mode.
acli> vm.shutdown <vm-name>
acli> vm.update <vm-name> virtual_tpm=true
Replace <vm-name> with the name of the VM.
acli> vm.on <vm-name>
Nutanix provides several mechanisms to maintain security in a cluster using Prism Element.
ldap://
host
:
ldap_port_num
.
The host value is either the IP address or fully qualified domain name.
(In some environments, a simple domain name is sufficient.) The default
LDAP port number is 389. Nutanix also supports LDAPS (port 636) and
LDAP/S Global Catalog (ports 3268 and 3269). The following are example
configurations appropriate for each port option:
ldap://ad_server.mycompany.com:389
ldaps://ad_server.mycompany.com:636
A service account is created to run only a particular service or application with the credentials specified for the account. According to the requirement of the service or application, the administrator can limit access to the service account.
A service account is under the Managed Service Accounts in the Active Directory server. An application or service uses the service account to interact with the operating system. Enter your Active Directory service account credentials in this (username) and the following (password) field.
Client authentication allows you to securely access the Prism by exchanging a digital certificate. Prism will validate that the certificate is signed by your organization’s trusted signing certificate.
Client authentication ensures that the Nutanix cluster gets a valid certificate from the user. Normally, a one-way authentication process occurs where the server provides a certificate so the user can verify the authenticity of the server (see Installing an SSL Certificate). When client authentication is enabled, this becomes a two-way authentication where the server also verifies the authenticity of the user. A user must provide a valid certificate when accessing the console either by installing the certificate on their local machine or by providing it through a smart card reader. Providing a valid certificate enables user login from a client machine with the relevant user certificate without utilizing user name and password. If the user is required to login from a client machine which does not have the certificate installed, then authentication using user name and password is still available.The Common Access Card (CAC) is a smart card about the size of a credit card, which some organizations use to access their systems. After you insert the CAC into the CAC reader connected to your system, the software in the reader prompts you to enter a PIN. After you enter a valid PIN, the software extracts your personal certificate that represents you and forwards the certificate to the server using the HTTP protocol.
When user authentication is enabled for a directory service (see Configuring Authentication), the directory users do not have any permissions by default. To grant permissions to the directory users, you must specify roles for the users (with associated permissions) to organizational units (OUs), groups, or individuals within a directory.
If you are using Active Directory, you must also assign roles to entities or users, especially before upgrading from a previous AOS version.
To assign roles, do the following:
The Create Role Mapping window appears. Do the following in the indicated fields:
Only directories previously defined when configuring authentication appear in this list. If the desired directory does not appear, add that directory to the directory list (see Configuring Authentication) and then return to this procedure.
The entity types are GROUP , USER , and OU .
OCSP is the recommended method for checking certificate revocation in client authentication. You can enable certificate revocation checking using the OSCP method through the command line interface (nCLI).
To enable certificate revocation checking using OCSP for client authentication, do the following.
ncli authconfig set-certificate-revocation set-ocsp-responder=<ocsp url>
<ocsp url>
indicates the location of the OCSP responder.
ncli authconfig get-client-authentication-config
The expected output if certificate revocation checking is enabled successfully is as follows.
Auth Config Status: true File Name: ca.cert.pem OCSP Responder URI: http://<ocsp-responder-url>
You can use the CRL certificate revocation checking method if required, as described in this section.
To enable certificate revocation checking using CRL for client authentication, do the following.
ncli authconfig set-certificate-revocation set-crl-uri=<uri 1>,<uri 2>
set-crl-refresh-interval=<refresh interval in seconds>
set-crl-expiration-interval=<expiration interval in seconds>
The authentication best practices listed here are guidance to secure the Nutanix platform by using the most common authentication security measures.
You must use the admin account as a local emergency account. The admin account ensures that both the Prism Web Console and the Controller VM are available when the external services such as Active Directory is unavailable.
For all the external authentication, you must configure the cluster to use an external IAM service such as Active Directory. You must create service accounts on the IAM and the accounts must have access grants to the cluster through Prism web console user account management configuration for authentication.
You must change the default Controller VM password for nutanix user account by adhering to the password complexity requirements.
nutanix@cvm$ passwd nutanix
Changing password for nutanix. New password: Retype new password: passwd: all authentication tokens updated successfully.
Nutanix supports the Cluster lockdown feature. This feature enables key-based SSH access to the Controller VM and AHV on the Host (only for nutanix/admin users).
Enabling cluster lockdown mode ensures that password authentication is disabled and only the keys you have provided can be used to access the cluster resources. Thus making the cluster more secure.
You can create a key pair (or multiple key pairs) and add the public keys to enable key-based SSH access. However, when site security requirements do not allow such access, you can remove all public keys to prevent SSH access.
By default, the users are logged out automatically after being idle for 15 minutes. You can change the session timeout for users and configure to override the session timeout by following the steps shown below.
For enhanced security, Prism Element locks out the admin account for a period of 15 minutes after a default number of unsuccessful login attempts. Once the account is locked out, the following message is displayed at the logon screen.
Account locked due to too many failed attempts
You can attempt entering the password after the 15 minutes lockout period, or contact Nutanix Support in case you have forgotten your password.
The following table lists all the supported and unsupported entities in UTF-8 encoding.
Supported Entities | Unsupported Entities |
---|---|
Cluster name | Acropolis file server |
Storage Container name | Share path |
Storage pool | Internationalized domain names |
VM name | E-mail IDs |
Snapshot name | Hostnames |
Volume group name | Integers |
Protection domain name | Password fields |
Remote site name | Any Hardware related names ( for example, vSwitch, iSCSCI initiator, vLAN name) |
User management | |
Chart name |
Nutanix user accounts can be created or updated as needed using the Prism web console.
You can reset the local user account password using nCLI if you are locked out and cannot login to the Prism Element or Prism Central web console ( see Resetting Password (CLI)).
Select the Backup Admin box to allow the user to perform backup-related administrative tasks. This role does not have permission to perform cluster or user tasks.
This procedure describes how to reset a local user's password on the Prism Element or the Prism Central web consoles.
To reset the password using nCLI, do the following:
Only a user with admin privileges can reset a password for other users.
nutanix@cvm$ ncli user reset-password user-name=xxxxx password=yyyyy
Replace user-name=xxxxx with the name of the user whose password is to be reset.
Replace password=yyyyy with the new password.
You can relaunch the Prism Element or the Prism Central web console and verify the new password setting.
Nutanix allows you to export an SSL certificate for Prism Element on a Nutanix cluster and use it with third-party backup applications.
nutanix@cvm$ ncli cluster info
The current cluster configuration is displayed.
Cluster Id : 0001ab12-abcd-efgh-0123-012345678m89::123456 Cluster Uuid : 0001ab12-abcd-efgh-0123-012345678m89 Cluster Name : three Cluster Version : 6.0 Cluster Full Version : el7.3-release-fraser-6.0-a0b1c2345d6789ie123456fg789h1212i34jk5lm6 External IP address : 10.10.10.10 Node Count : 3 Block Count : 1 . . . . .
nutanix@cvm$ python
The Python prompt appears.
$ import ssl
$ print ssl.get_server_certificate(('virtual_IP_address',9440), ssl_version=ssl.PROTOCOL_TLSv1_2)
$ print ssl.get_server_certificate(('10.10.10.10', 9440), ssl_version=ssl.PROTOCOL_TLSv1_2)
-----BEGIN CERTIFICATE----- 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01 23456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123 456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345 6789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567 89ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789AB CDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCD EFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEF GHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH IJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJ KLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKL MNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMN OPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOP QRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQR STUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRST UVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUV WXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWX YZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZab cdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcd efghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef ghij -----END CERTIFICATE-----
This chapter describes how to install and replace an SSL certificate for configuration and use on the Nutanix Controller VM.
$ cat signer.crt inter.crt root.crt > server.cert
Order is essential. The total chain should begin with the
certificate of the signer and end with the root CA certificate as
the final entry.
This table provides the Nutanix recommended set of key types, sizes/curves, and signature algorithms.
Key Type | Size/Curve | Signature Algorithm |
---|---|---|
RSA | 4096 | SHA-256, SHA-384 or SHA512 |
RSA | 2048 | SHA-256, SHA-384 or SHA512 |
EC DSA 256 | prime256v1 | ecdsa-with-sha256 |
EC DSA 384 | secp384r1 | ecdsa-with-sha384 |
EC DSA 521 | secp521r1 | ecdsa-with-sha512 |
Nutanix simplifies the process of certificate replacement to support the need of Certificate Authority (CA) based chains of trust. Nutanix recommends you to replace the default supplied self-signed certificate with a CA signed certificate.
The following files are required and should be PEM encoded to import the keys and certificate.
You must obtain the Public Certificate and CA Certificate/Chain from the certificate authority.
Generating an RSA 4096 and RSA 2048 private key
openssl req -out server.csr -new -newkey rsa:4096
-nodes -sha256 -keyout server.key
openssl req -out server.csr -new -newkey rsa:2048
-nodes -sha256 -keyout server.key
After
executing the
openssl
command, the system prompts
you to provide more details that will be incorporated into your
certificate. The mandatory fields are - Country Name, State or
Province Name, and Organization Name. The optional fields are -
Locality Name, Organizational Unit Name, Email Address, and
Challenge Password.
Nutanix recommends including a DNS name for all CVMs in the certificate using the Subject Alternative Name (SAN) extension. This avoids SSL certificate errors when you access a CVM by direct DNS instead of the shared cluster IP. This example shows how to include a DNS name while generating an RSA 4096 private key:
openssl req -out server.csr -new -newkey rsa:4096 -sha256 -nodes
-addext "subjectAltName = DNS:example.com"
-keyout server.key
For a 3-node cluster you can provide DNS name for all three nodes in a single command. For example:
openssl req -out server.csr -new -newkey rsa:4096 -sha256 -nodes
-addext "subjectAltName = DNS:example1.com,DNS:example2.com,DNS:example3.com"
-keyout server.key
If you have added a SAN (
subjectAltName
) extension to your
certificate, then every time you add or remove a node from the cluster, you
must add the DNS name when you generate or sign a new certificate.
Generating an EC DSA 256 and EC DSA 384 private key
openssl ecparam -out dsakey.pem -name prime256v1 –genkey
openssl req -out dsacert.csr -new -key dsakey.pem -nodes -sha256
openssl ecparam -out dsakey.pem -name secp384r1 –genkey
openssl req -out dsacert.csr -new -key dsakey.pem -nodes –sha384
$ cat
signer.crt
inter.crt
root.crt
>
server.cert
Order is essential. The total chain should begin with the certificate of the signer and end with the root CA certificate as the final entry.
cat signer.crt inter.crt root.crt > server.cert
Prism restarts and you must login to use the application.
Nutanix allows you to export an SSL certificate for Prism Element on a Nutanix cluster and use it with third-party backup applications.
nutanix@cvm$ ncli cluster info
The current cluster configuration is displayed.
Cluster Id : 0001ab12-abcd-efgh-0123-012345678m89::123456 Cluster Uuid : 0001ab12-abcd-efgh-0123-012345678m89 Cluster Name : three Cluster Version : 6.0 Cluster Full Version : el7.3-release-fraser-6.0-a0b1c2345d6789ie123456fg789h1212i34jk5lm6 External IP address : 10.10.10.10 Node Count : 3 Block Count : 1 . . . . .
nutanix@cvm$ python
The Python prompt appears.
$ import ssl
$ print ssl.get_server_certificate(('virtual_IP_address',9440), ssl_version=ssl.PROTOCOL_TLSv1_2)
$ print ssl.get_server_certificate(('10.10.10.10', 9440), ssl_version=ssl.PROTOCOL_TLSv1_2)
-----BEGIN CERTIFICATE----- 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01 23456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123 456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345 6789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567 89ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789AB CDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCD EFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEF GHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH IJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJ KLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKL MNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMN OPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOP QRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQR STUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRST UVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUV WXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWX YZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZab cdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcd efghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef ghij -----END CERTIFICATE-----
Nutanix supports the Cluster lockdown feature. This feature enables key-based SSH access to the Controller VM and AHV on the Host (only for nutanix/admin users).
Enabling cluster lockdown mode ensures that password authentication is disabled and only the keys you have provided can be used to access the cluster resources. Thus making the cluster more secure.
You can create a key pair (or multiple key pairs) and add the public keys to enable key-based SSH access. However, when site security requirements do not allow such access, you can remove all public keys to prevent SSH access.
Nutanix provides an option to secure data while it is at rest using either self-encrypted drives or software-only encryption and key-based access management (cluster's native or external KMS for software-only encryption).
Nutanix provides you with the following options to secure your data.
Note the following points regarding data-at-rest encryption.
Nutanix supports a Native Key Management Server, also called Local Key Manager (LKM), thus avoiding the dependency on an External Key Manager (EKM). Cluster localised Key Management Service support requires a minimum of 3-node in a cluster and is supported only for software-only encryption. So, 1-node and 2-node clusters can use either the Native KMS (remote) option or an EKM. .
The following types of keys are used for encryption.
Note the following points regarding the key management.
You must backup the encryption keys whenever you create a new container or remove an existing container. Nutanix Cluster Check (NCC) checks the status of the backup and sends an alert if you do not take a backup at the time of creating or removing a container.
For customers who require enhanced data security, Nutanix provides a data-at-rest security option using Self Encrypting Drives (SEDs) included in the Ultimate license.
Following features are supported:
To accomplish these goals, Nutanix implements a data security configuration that uses SEDs with keys maintained through a separate key management device. Nutanix uses open standards (TCG and KMIP protocols) and FIPS validated SED drives for interoperability and strong security.
This configuration involves the following workflow:
The drives are FIPS 140-2 validated and use FIPS 140-2 validated cryptographic modules.
Creating a new cluster that includes SEDs only is straightforward, but an existing cluster can be converted to support data-at-rest encryption by replacing the existing drives with SEDs (after migrating all the VMs/vDisks off of the cluster while the drives are being replaced).
A symmetric data encryption key (DEK) such as AES 256 is applied to all data being written to or read from the disk. The key is known only to the drive controller and never leaves the physical subsystem, so there is no way to access the data directly from the drive.
Another key, known as a key encryption key (KEK), is used to encrypt/decrypt the DEK and authenticate to the drive. (Some vendors call this the authentication key or PIN.)
Each drive has a separate KEK that is generated through the FIPS compliant random number generator present in the drive controller. The KEK is 32 bytes long to resist brute force attacks. The KEKs are sent to the key management server for secure storage and later retrieval; they are not stored locally on the node (even though they are generated locally).
In addition to the above, the leader encryption key (MEK) is used to encrypt the KEKs.
Each node maintains a set of certificates and keys in order to establish a secure connection with the external key management server.
Only one key management server device is required, but it is recommended that multiple devices are employed so the key management server is not a potential single point of failure. Configure the key manager server devices to work in clustered mode so they can be added to the cluster configuration as a single entity that is resilient to a single failure.
If the Controller VM cannot get the correct keys from the key management server, it cannot access data on the drives.
If a drive is re-seated, it becomes locked.
If a drive is stolen, the data is inaccessible without the KEK (which cannot be obtained from the drive). If a node is stolen, the key management server can revoke the node certificates to ensure they cannot be used to access data on any of the drives.
Doing so could result in complete data loss if there is a problem with the VM while it is hosted in that cluster.
If you are using an external KMS for encryption using AOS, preparation steps outside the web console are required. The information in this section is applicable if you choose to use an external KMS for configuring encryption.
You must install the license of the external key manager for all nodes in the cluster. See Compatibility and Interoperability Matrix for a complete list of the supported key management servers. For instructions on how to configure a key management server, refer to the documentation from the appropriate vendor.
The system accesses the EKM under the following conditions:
Starting a cluster
Regenerating a key (key regeneration occurs automatically every year by default)
Adding or removing a node (only when Self Encrypting Drives is used for encryption)
Switching between Native to EKM or EKM to Native
Starting, and restarting a service (only if Software-based encryption is used)
Upgrading AOS (only if Software-based encryption is used)
NCC heartbeat check if EKM is alive
The key management server devices must be configured into the network so the cluster has access to those devices. For redundant protection, it is recommended that you employ at least two key management server devices, either in active-active cluster mode or stand-alone.
Ensure that Security > High Security > Key Security > Disable Creation and Use of Global Keys is checked.
Set the appliance to compatibility mode. Suite B mode causes the SSL handshake to fail.
unique_node_identifier
.nutanix.com
to identify the node associated with the
certificate.
ncli data-at-rest-encryption-certificate update-csr-information domain-name=abcd.test.com
In the above command example, replace "abcd.test.com" with the actual domain name.
Nutanix
. This can be
useful when configuring a Nutanix group for access
control within a key management server, since it is
based on fields within the client certificates.
The SafeNet KeySecure key management server includes a local CA option to generate signed certificates, or you can use other third-party vendors to create the signed certificates.
To enable FIPS compliance, add user nutanix to the CA that signed the CSR. Under Security > High Security > FIPS Compliance click Set FIPS Compliant .
In the SafeNet KeySecure management console, go to Device > Key Server > Key Server > KMIP Properties > Authentication Settings .
Then do the following:
If you do not perform these settings, the KMS creates global keys and fails to encrypt the clusters or containers using the software only method.
Nutanix offers an option to use self-encrypting drives (SEDs) to store data in a cluster. When SEDs are used, there are several configuration steps that must be performed to support data-at-rest encryption in the cluster.
To configure cluster encryption, do the following:
Data on a self encrypting drive (SED) is always encrypted, but enabling/disabling data-at-rest encryption for the cluster determines whether a separate (and secured) key is required to access that data.
The key encryption key (KEK) can be changed at any time. This can be useful as a periodic password rotation security precaution or when a key management server or node becomes compromised. If the key management server is compromised, only the KEK needs to be changed, because the KEK is independent of the drive encryption key (DEK). There is no need to re-encrypt any data, just to re-encrypt the DEK.
To change the KEKs for a cluster, do the following:
Data on a self encrypting drive (SED) is always encrypted, and the data encryption key (DEK) used to read the encrypted data is known only to the drive controller. All data on the drive can effectively be destroyed (that is, become permanently unreadable) by having the controller change the DEK. This is known as a crypto-erase.
To crypto-erase a SED, do the following:
As part of the disk removal process, the DEK for that disk is automatically cycled on the drive controller. The previous DEK is lost and all new disk reads are indecipherable. The key encryption key (KEK) is unchanged, and the new DEK is protected using the current KEK.
To accomplish the above mentioned goals, Nutanix implements a data security configuration that uses AOS functionality along with the cluster’s native or an external key management server. Nutanix uses open standards (KMIP protocols) for interoperability and strong security.
This configuration involves the following workflow:
Each node maintains a set of certificates and keys in order to establish a secure connection with the key management server.
Only one key management server device is required, but it is recommended that multiple devices are employed so the key management server is not a potential single point of failure. Configure the key manager server devices to work in clustered mode so they can be added to the cluster configuration as a single entity that is resilient to a single failure.
Nutanix offers a software-only option to perform data-at-rest encryption in a cluster or container.
Doing so could result in complete data loss if there is a problem with the VM while it is hosted in that cluster.
To configure cluster or container encryption, do the following:
When you enable encryption, a low priority background task runs to encrypt all the unencrypted data. This task is designed to take advantage of any available CPU space to encrypt the unencrypted data within a reasonable time. If the system is occupied with other workloads, the background task consumes less CPU space. Depending on the amount of data in the cluster, the background task can take 24 to 36 hours to complete.
After Software Encryption has been established, Nutanix supports the ability to switch the KMS type from the External Key Manager to the Native Key Manager or from the Native Key Manager to an External Key Manager, without any down time.
The key encryption key (KEK) can be changed at any time. This can be useful as a periodic password rotation security precaution or when a key management server or node becomes compromised. If the key management server is compromised, only the KEK needs to be changed, because the KEK is independent of the drive encryption key (DEK). There is no need to re-encrypt any data, just to re-encrypt the DEK.
To change the KEKs for a cluster, do the following:
Data on the AOS cluster is always encrypted, and the data encryption key (DEK) used to read the encrypted data is known only to the AOS. All data on the drive can effectively be destroyed (that is, become permanently unreadable) by deleting the container or cluster. This is known as a crypto-erase.
To crypto-erase the container or cluster, do the following:
When you delete a storage container, the Curator scans and deletes the DEK and KEK keys automatically.
When you destroy a cluster, then:
This section describes the steps to switch from SED and External KMS combination to software-only and LKM combination.
To switch from SED-EKM to Software-LKM, do the following.
Dual Encryption protects the data on the clusters using both SED and software-only encryption. An external key manager is used to store the keys for dual encryption, the Native KMS is not supported.
To configure dual encryption, do the following:
You can take a backup of encryption keys:
Backing up encryption keys is critical in the very unlikely situation in which keys get corrupted.
You can download key backup file for a cluster on a PE or all clusters on a PC. To download key backup file for all clusters, see Taking a Consolidated Backup of Keys (Prism Central) .
To download the key backup file for a cluster, do the following:
The backup file is saved in the default download location on your local machine.
If you are using the Native KMS option with software encryption for your clusters, you can take a consolidated backup of all the keys from Prism Central.
You can import the encryption keys from backup. You must note the specific commands in this topic if you backed up your keys to an external key manager (EKM)
mantle_recovery_util --backup_file_path=/home/nutanix/encryption_key_backup_date \
--password=Nutanix.123 --list_key_ids=true
mantle_recovery_util --backup_file_path=/home/nutanix/key_backup \
--password=Nutanix.123 --interactive_mode
mantle_recovery_util --backup_file_path path/encryption_key_backup_date \
--password key_password --store_kek_remotely
Network segmentation enhances security, resilience, and cluster performance by isolating a subset of traffic to its own network.
You can achieve traffic isolation in one or more of the following ways:
To enable the CVMs in a cluster to communicate over these separated networks, the CVMs are multihomed. Multihoming is facilitated by the addition of a virtual network interface card (vNIC) to the Controller VM and placing the new interface on the backplane network. Additionally, the hypervisor is assigned an interface on the backplane network.
The traffic associated with the CVM interfaces and host interfaces on the backplane network can be secured further by placing those interfaces on a separate VLAN.
In this type of segmentation, both network segments continue to use the same external bridge and therefore use the same set of physical uplinks. For physical separation, see Physically Isolating the Backplane Traffic on an AHV Cluster.
Isolating backplane traffic from management traffic requires minimal configuration through the Prism web console. No manual host (hypervisor) configuration steps are required.
For information about isolating backplane traffic, see Isolating the Backplane Traffic Logically on an Existing Cluster (VLAN-Based Segmentation Only).
You can physically isolate the backplane traffic (intra cluster traffic) from the management traffic (Prism, SSH, SNMP) in to a separate vNIC on the CVM and using a dedicated virtual network that has its own physical NICs. This type of segmentation therefore offers true physical separation of the backplane traffic from the management traffic.
You can use Prism to configure the vNIC on the CVM and configure the backplane traffic to communicate over the dedicated virtual network. However, you must first manually configure the virtual network on the hosts and associate it with the physical NICs that it requires for true traffic isolation.
For more information about physically isolating backplane traffic, see Physically Isolating the Backplane Traffic on an AHV Cluster.
You can use Prism to create the vNIC on the CVM and configure the service to communicate over the dedicated virtual network. However, you must first manually configure the virtual network on the hosts and associate it with the physical NICs that it requires for true traffic isolation. You need one virtual network for each service you want to isolate. For a list of the services whose traffic you can isolate in the current release, see Cluster Services That Support Traffic Isolation.
For information about isolating service-specific traffic, see Isolating Service-Specific Traffic.
For information about isolating backplane traffic on an RDMA cluster, see Isolating the Backplane Traffic on an Existing RDMA Cluster.
The traffic entering and leaving a Nutanix cluster can be broadly classified into the following types:
Traffic on the management plane can be further isolated per service or feature. An example of this type of traffic is the traffic that the cluster receives from external iSCSI initiators (Nutanix Volumes iSCSI traffic). For a list of services supported in the current release, see Cluster Services That Support Traffic Isolation.
In the default unsegmented network in a Nutanix cluster (ESXi and AHV), the Controller VM has two virtual network interfaces—eth0 and eth1.
Interface eth0 is connected to the default external virtual switch, which is in turn connected to the external network through a bond or NIC team that contains the host physical uplinks.
Interface eth1 is connected to an internal network that enables the CVM to communicate with the hypervisor.
In the below unsegmented network (see figure Unsegmented Network - ESXi Cluster , and Unsegmented Network - AHV Cluster ) all external CVM traffic, whether backplane or management traffic, uses interface eth0. These interfaces are on the default VLAN on the default virtual switch.
This figure shows an unsegmented network AHV cluster.
In AHV, VM live migration traffic is also backplane, and uses the AHV backplane interface, VLAN, and virtual switch when configured.
If you further isolate service-specific traffic, additional vNICs are created on the CVM. Each service requiring isolation is assigned a dedicated virtual NIC on the CVM. The NICs are named ntnx0, ntnx1, and so on. Each service-specific NIC is placed on a configurable existing or new virtual network (vSwitch or bridge) and a VLAN and IP subnet are specified.
In a segmented network, management traffic uses CVM interface eth0 and additional services can be isolated to different VLANs or virtual switches. In backplane segmentation, the backplane traffic uses interface eth2. The backplane network uses either the default VLAN or, optionally, a separate VLAN that you specify when segmenting the network. In ESXi, you must select a port group for the new vmkernel interface. In AHV this internal interface is created automatically in the selected virtual switch. For physical separation of the backplane network, create this new port group on a separate virtual switch in ESXi, or select the desired virtual switch in the AHV GUI.
If you want to isolate service-specific traffic such as Volumes or Disaster Recovery as well as backplane traffic, then additional vNICs are needed on the CVM, but no new vmkernel adapters or internal interfaces are required. AOS creates additional vNICs on the CVM. Each service that requires isolation is assigned a dedicated vNIC on the CVM. The NICs are named ntnx0, ntnx1, and so on. Each service-specific NIC is placed on a configurable existing or new virtual network (vSwitch or bridge) and a VLAN and IP subnet are specified.
You can choose to perform backplane segmentation alone, with no other forms of segmentation. You can also choose to use one or more types of service specific segmentation with or without backplane segmentation. In all of these cases, you can choose to segment any service to either the existing, or a new virtual switch for further physical traffic isolation. The combination selected is driven by the security and networking requirements of the deployment. In most cases, the default configuration with no segmentation of any kind is recommended due to simplicity and ease of deployment.
The following figure shows an implementation scenario where the backplane and service specific segmentation is configured with two vSwitches on ESXi hypervisors.
Here are the CVM to ESXi hypervisor connection details:
The following figure shows an implementation scenario where the backplane and service specific segmentation is configured with two vSwitches on an AHV hypervisors.
Here are the CVM to AHV hypervisor connection details:
The following table describes the vNIC, port group (PG), VM kernel (vmk), virtual network (vnet) and virtual switch connections for CVM and hypervisor in different implementation scenarios. The tables capture information for ESXi and AHV hypervisors:
Implementation Scenarios | vNICs on CVM | Connected to ESXi Hypervisor | Connected to AHV Hypervisor |
---|---|---|---|
Backplane Segmentation with 1 vSwitch |
eth0: DR, iSCSI, andManagement traffic |
vmk0 via existing PGm on vSwitch | Existing vnet0 |
eth2: Backplane traffic |
New vmk2 via PGb on vSwitch0 CVM vNIC via PGb on vSwitch0 |
Auto created interfaces on bridge br0 | |
Backplane Segmentation with 2 vSwitches |
eth0: Management traffic |
vmk0 via existing PGm on vSwitch0 | Existing vnet0 |
eth2: Backplane traffic |
New vmk2 via PGb on new vSwitch CVM vNIC via PGb on new vSwitch |
Auto created interfaces on new virtual switch | |
Service Specific Segmentation for Volumes with 1 vSwitch |
eth0: DR, Backplane, and Management traffic |
vmk0 via existing PGm on vSwitch0 |
Existing vnet0 |
ntnx0: iSCSI (Volumes) traffic |
CVM vNIC via PGi on vSwitch0 |
Auto created interface on existing br0 | |
Service Specific Segmentation for Volumes with 2 vSwitches |
eth0: DR, Backplane, and Management traffic |
vmk0 via existing PGm on vSwitch0 |
Existing vnet0 |
ntnx0: iSCSI (Volumes) traffic |
CVM vNIC via PGi on new vSwitch |
Auto created interface on new virtual switch | |
Service Specific Segmentation for DR with 1 vSwitch |
eth0: iSCSI, Backplane, and Management traffic |
vmk0 via existing PGm on vSwitch0 |
Existing vnet0 |
ntnx1: DR traffic |
CVM vNIC via PGd on vSwitch0 |
Auto created interface on existing br0 |
|
Service Specific Segmentation for DR with 2 vSwitches |
eth0: iSCSI, Backplane, and Management traffic |
vmk0 via existing PGm on vSwitch0 |
Existing vnet0 |
ntnx1: DR traffic |
CVM vNIC via PGd on new vSwitch |
Auto created interface on new virtual switch |
|
Backplane and Service Specific Segmentation with 1 vSwitch |
eth0: Management traffic |
vmk0 via existing PGm on vSwitch0 |
Existing vnet0 |
eth2: Backplane traffic |
New vmk2 via PGb on vSwitch0 CVM vNIC via PGb on vSwitch0 |
Auto created interfaces on br0 | |
ntnx0: iSCSI traffic |
CVM vNIC via PGi on vSwitch0 | Auto created interface on br0 | |
ntnx1: DR traffic |
CVM vNIC via PGd on vSwitch0 |
Auto created interface on br0 | |
Backplane and Service Specific Segmentation with 2 vSwitches |
eth0: Management traffic |
vmk0 via existing PGm on vSwitch0 |
Existing vnet0 |
eth2: Backplane traffic |
New vmk2 via PGb on new vSwitch CVM vNIC via PGb on new vSwitch |
Auto created interfaces on new virtual switch | |
ntnx0: iSCSI traffic |
CVM vNIC via PGi on vSwitch1 No new user defined vmkernel adapter is required. |
Auto created interface on new virtual switch | |
ntnx1: DR traffic |
CVM vNIC via PGd on vSwitch2. No new user defined vmkernel adapter is required. |
Auto created interface in new virtual switch |
Network segmentation is supported in the following environment:
Stargate does not monitor the health of a segmented network. If physical network segmentation is configured, network failures or connectivity issues are not tolerated. To overcome this issue, configure redundancy in the network. That is, use two or more uplinks in a fault tolerant configuration, connected to two separate physical switches.
n+1
IP addresses, where
n
is the number of nodes in the cluster. The additional IP address is for the virtual IP
address requirement.
The system does not support configuring a Leap DR and DR service specific traffic isolation together.
You can isolate traffic associated with the following services to its own virtual network:
Management (The default network that cannot be moved from CVM eth0)
Backplane
RDMA
Service Specific Disaster Recovery
Service Specific Volumes
Network segmentation is not supported in the following configurations:
Nutanix has deprecated support for manual multi-homed CVM network interfaces from AOS version 5.15 and later. Such a manual configuration can lead to unexpected issues on these releases. If you have configured an eth2 interface on the CVM manually, refer to the KB-9479 and Nutanix Field Advisory #78 for details on how to remove the eth2 interface.
These steps describe how to configure host networking for physical and service-specific network segmentation on an AHV host. These steps are prerequisites for physical and service-specific network segmentation and you must perform these steps before you perform physical or service-specific traffic isolation. If you are configuring networking on an ESXi host, perform the equivalent steps by referring to the ESXi documentation. On ESXi, you create vSwitches and port groups to achieve the same results.
For information about the procedures to create, update and delete a virtual switch in Prism Element Web Console, see Configuring a Virtual Network for Guest VMs in the Prism Web Console Guide .
To configure host networking for physical and service-specific network segmentation, do the following:
For information about updating the default virtual switch vs0 to remove the uplinks, see Creating or Updating a Virtual Switch in the Prism Web Console Guide .
For information about creating a new virtual switch, see Creating or Updating a Virtual Switch in the Prism Web Console Guide .
ovs-vsctl add-br br1
manage_ovs --bridge_name br0 --interfaces eth0,eth1 --bond_name br0-up --bond_mode active-backup update_uplinks
manage_ovs --bridge_name br1 --interfaces eth2,eth3 --bond_name br1-up --bond_mode active-backup update_uplinks
If you are performing physical network segmentation, see Physically Isolating the Backplane Traffic on an Existing Cluster.
If you are performing service-specific traffic isolation, see Service-Specific Traffic Isolation.
You can segment the network on a Nutanix cluster in the following ways:
The following topics describe network segmentation procedures for existing clusters and changes during AOS upgrade and cluster expansion. For more information about segmenting the network when creating a cluster, see the Field Installation Guide.
You can segment the network on an existing cluster by using the Prism web console. You must configure a separate VLAN for the backplane network to achieve logical segmentation. The network segmentation process creates a separate network for backplane communications on the existing default virtual switch. The process then places the eth2 interfaces (that the process creates on the CVMs during upgrade) and the host interfaces on the newly created network. This method allows you to achieve logical segmentation of traffic over the selected VLAN. From the specified subnet, assign IP addresses to each new interface. You, therefore, need two IP addresses per node. When you specify the VLAN ID, AHV places the newly created interfaces on the specified VLAN.
If your cluster has RDMA-enabled NICs, follow the procedure in Isolating the Backplane Traffic on an Existing RDMA Cluster.
Since backplane traffic segmentation is logical, it is based on the VLAN that is tagged for the port groups. Therefore, while creating the port groups ensure that you tag the new port groups created for the ESXi hosts and CVMs with the appropriate VLAN ID. Consult your networking team to acquire the necessary VLANs for use with Nutanix nodes.
To segment the network on an existing ESXi and Hyper-V clusters for a backplane LAN, do the following:
To segment the network on an existing AHV cluster for a backplane LAN, follow the procedure described in the Physically Isolating the Backplane Traffic on an AHV Cluster topic.
In this method, for AHV nodes, logical segmentation (VLAN-based segmentation) is done on the default bridge. The process creates the host backplane interface on the Backplane Network port group on ESXi or br0-backplane (interface) on br0 bridge in case of AHV. The eth2 interface on the CVM is on CVM Backplane Network by default.
Ensure that the subnet has sufficient IP addresses. The segmentation process requires two IP addresses per node. Reconfiguring the backplane to increase the size of the subnet involves cluster downtime, so you might also want to make sure that the subnet can accommodate new nodes in the future.
Nutanix recommends that you use a VLAN. If you do not specify a VLAN ID, the default VLAN on the virtual switch is used.
Segment the network on an existing RDMA cluster by using the Prism web console.
By using the Prism web console, you can configure the eth2 interface on a separate virtual switch if you wish to isolate the backplane traffic to a separate physical network.
If you do not configure as separate virtual switch, the backplane traffic uses another VLAN in the default switch for VLAN-based traffic isolation.
A virtual switch is known as the following in different hypervisors.
Hypervisor | Virtual Switch |
---|---|
AHV | Virtual Switch |
ESXi | vSwitch |
Hyper-V | Hyper-V Virtual Switch |
Network segmentation process creates a separate network for backplane communications on the new virtual switch. The segmentation process places the CVM eth2 interfaces and the host interfaces on the newly created network. Specify a subnet with a network mask and, optionally, a VLAN ID. From the specified subnet or an IP Pool assign IP addresses to each new interface in the new network. You require a minimum of two IP addresses per node.
If you specify the optional VLAN ID, the newly created interfaces are placed on VLAN.
Nutanix highly recommends a separate VLAN for the backplane network to achieve true segmentation.
For AHV, see Configuring the Network on an AHV Host. For ESXI and Hyper-V, see VMware and Microsoft documentation respectively.
On the AHV hosts, do the following:
Add the uplinks to the new bond when you create the new virtual switch.
See Configuring the Network on an AHV Host for instructions about how to perform these tasks on a host.
Perform the following procedure to physically segment the backplane traffic on an AHV cluster.
nutanix@cvm$ acli host.list
Note the value of
Hypervisor IP for the node you want to put in the maintenance
mode.
nutanix@cvm$ acli host.enter_maintenance_mode hypervisor-IP-address [wait="{ true | false }" ] [non_migratable_vm_action="{ acpi_shutdown | block }" ]
Replace host-IP-address with either the IP address or host name of the AHV host you want to shut down.
The following are optional parameters for running the acli host.enter_maintenance_mode command:
Do not continue if the host has failed to enter the maintenance mode.
nutanix@cvm$ acli host.get host-ip
In the output that is displayed, ensure that node_state equals to EnteredMaintenanceMode and schedulable equals to False .
The AOS CVM default route uses the CVM eth0 interface, and there is no route on the backplane interface. Therefore, Nutanix recommends only using a non-routable subnet for the backplane network. To avoid split routing, do not use a routable subnet for the backplane network.
Make sure that the backplane subnet has a sufficient number of IP addresses. Two IP addresses are required per node. Reconfiguring the backplane to increase the size of the subnet involves cluster downtime, so you might also want to make sure that the subnet can accommodate new nodes in the future.
Nutanix strongly recommends configuring a separate VLAN. If you do not specify a VLAN ID, AOS applies the untagged VLAN on the virtual switch.
nutanix@cvm$ allssh genesis stop acropolis
nutanix@cvm$ cluster start
nutanix@cvm$ acli host.exit_maintenance_mode host-ip
Replace host-ip with the new IP address of the host.
This command migrates (live migration) all the VMs that were previously running on the host back to the host.
nutanix@cvm$ acli host.get host-ip
In the output that is displayed, ensure that node_state equals to kAcropolisNormal or AcropolisNormal and schedulable equals to True .
On the ESXi hosts, do the following:
See the ESXi documentation for instructions about how to perform these tasks.
Perform the following procedure to physically segment the backplane traffic.
Make sure that the subnet has a sufficient number of IP addresses. Two IP addresses are required per node. Reconfiguring the backplane to increase the size of the subnet involves cluster downtime, so you might also want to make sure that the subnet can accommodate new nodes in the future.
Nutanix clusters support both vSphere Standard Switches and vSphere Distributed Switches. However, you must mandatorily configure only one type of virtual switches in one cluster. Configure all the backplane and management traffic in one cluster on either vSphere Standard Switches or vSphere Distributed Switches. Do not mix Standard and Distributed vSwitches on a single cluster.
On the Hyper-V hosts, do the following:
See the Hyper-V documentation on the Microsoft portal for instructions about how to perform these tasks.
Perform the following procedure to physically segment the backplane traffic.
Make sure that the subnet has a sufficient number of IP addresses. Two IP addresses are required per node. Reconfiguring the backplane to increase the size of the subnet involves cluster downtime, so you might also want to make sure that the subnet can accommodate new nodes in the future.
Backplane network reconfiguration is a CLI-driven procedure that you perform on any one of the CVMs in the cluster. The change is propagated to the remaining CVMs.
To reconfigure the cluster, do the following:
nutanix@cvm$ backplane_ip_reconfig [--backplane_vlan=vlan-id] \
[--backplane_ip_pool=ip_pool_name]
Replace vlan-id with the new VLAN ID, and ip_pool_name with the newly created backplane IP pool.
See Configuring Backplane IP Pool to create a backplane IP pool.
For example, reconfigure the backplane network to use VLAN ID
10
and newly created backplane IP pool.
nutanix@cvm$ backplane_ip_reconfig --backplane_vlan=10 \
--backplane_ip_pool=NewBackplanePool
Output similar to the following is displayed:
This operation will do a 'cluster stop', resulting in disruption of cluster services. Do you still want to continue? (Type "yes" (without quotes) to continue) Type yes to confirm that you want to reconfigure the backplane network.
Failed to reach a node.You can safely ignore this error message and therefore do not stop the script manually.
backplane_ip_reconfig
command is not supported on
ESXi clusters with vSphere Distributed Switches. To reconfigure the
backplane network on a vSphere Distributed Switch setup, disable the
backplane network (see Disabling Network Segmentation on an ESXi and Hyper-V Clusters) and
enable again with a different subnet or VLAN.
nutanix@cvm$ svmips -b
172.30.25.1 172.30.25.3 172.30.25.5
nutanix@cvm$ hostips -b
172.30.25.2 172.30.25.4 172.30.25.6
b
, display the IP addresses assigned to
the interfaces on the backplane.
Backplane network reconfiguration is a CLI-driven procedure that you perform on any one of the CVMs in the cluster. The change is propagated to the remaining CVMs.
nutanix@cvm$ network_segmentation --backplane_network --disable
Output similar to the following appears:
Operation type : Disable Network type : kBackplane Params : {} Please enter [Y/y] to confirm or any other key to cancel the operation
Type Y/y to confirm that you want to reconfigure the backplane network.
If you type Y/y, network segmentation is disabled and the cluster restarts in a rolling manner, one CVM at a time. If you type anything other than Y/y, network segmentation is not disabled.
This method does not involve cluster downtime.
nutanix@cvm$ network_segment_status
Output similar to the following is displayed:
2017-11-23 06:18:23 INFO zookeeper_session.py:110 network_segment_status is attempting to connect to ZookeeperNetwork segmentation is disabled
b
option and once with the
b
option, and then compare the IP addresses shown in the output).
nutanix@cvm$ svmips 192.127.3.2 192.127.3.3 192.127.3.4 nutanix@cvm$ svmips -b 192.127.3.2 192.127.3.3 192.127.3.4 nutanix@cvm$ hostips 192.127.3.5 192.127.3.6 192.127.3.7 nutanix@cvm$ hostips -b 192.127.3.5 192.127.3.6 192.127.3.7
In the example above, the outputs of the svmips and hostips commands with and without the b option are the same, indicating that the backplane network segmentation is disabled.
You perform backplane network reconfiguration procedure on any one of the CVMs in the cluster. The change propagates to the remaining CVMs.
nutanix@cvm$ acli host.list
Note the value of
Hypervisor IP for the node you want to put in the maintenance
mode.
nutanix@cvm$ acli host.enter_maintenance_mode hypervisor-IP-address [wait="{ true | false }" ] [non_migratable_vm_action="{ acpi_shutdown | block }" ]
Replace host-IP-address with either the IP address or host name of the AHV host you want to shut down.
The following are optional parameters for running the acli host.enter_maintenance_mode command:
Do not continue if the host has failed to enter the maintenance mode.
nutanix@cvm$ acli host.get host-ip
In the output that is displayed, ensure that node_state equals to EnteredMaintenanceMode and schedulable equals to False .
This involves a rolling reboot of CVMs to migrate the cluster services back to the external interface.
nutanix@cvm$ allssh genesis stop acropolis
nutanix@cvm$ cluster start
nutanix@cvm$ acli host.exit_maintenance_mode host-ip
Replace host-ip with the new IP address of the host.
This command migrates (live migration) all the VMs that were previously running on the host back to the host.
nutanix@cvm$ acli host.get host-ip
In the output that is displayed, ensure that node_state equals to kAcropolisNormal or AcropolisNormal and schedulable equals to True .
Isolating the traffic associated with a specific service is a two-step process. The process is as follows:
To isolate a service to a separate virtual network, do the following:
To modify network segmentation configured for a service, you must first disable network segmentation for that service and then create the network interface again for that service with the new IP address pool and VLAN.
For example, if the interface of the service you want to modify is ntnx0, after the reconfiguration, the same interface (ntnx0) is assigned to that service if that interface is not assigned to any other service. If ntnx0 is assigned to another service, a new interface (for example ntnx1) is created and assigned to that service.
Perform the following to reconfigure network segmentation configured for a service.
To disable network segmentation configured for a service, you must disable the dedicated VNIC. Disabling network segmentation frees up the name of the VNIC. Disabling network segmentation frees up the vNIC’s name. The free name is reused in a subsequent network segmentation configuration.
At the end of this procedure, the cluster performs a rolling restart. Disabling network segmentation might also disrupt the functioning of the associated service. To restore normal operations, you might have to perform other tasks immediately after the cluster has completed the rolling restart. For information about the follow-up tasks, see Service-Specific Settings and Configurations.
To disable the network segmentation configured for a service, do the following:
If you disable network segmentation for a service, the vNIC for that service is not deleted. AOS reuses the vNIC if you enable network segmentation again. However, you can manually delete a vNIC by logging into any CVM in the cluster with SSH.
Perform the following to delete a vNIC.
nutanix@cvm$ network_segmentation --service_network --interface="interface-name" --delete
Replace interface-name with the name of the interface you want to delete. For example, ntnx0.
The following sections describe the settings required by the services that support network segmentation.
Network segmentation for Volumes also requires you to migrate iSCSI client connections to the new segmented network. If you no longer require segmentation for Volumes traffic, you must also migrate connections back to eth0 after disabling the vNIC used for Volumes traffic.
You can create two different networks for Nutanix Volumes with different IP pools, VLANs, and data services IP addresses. For example, you can create two iSCSI networks for production and non-production traffic on the same Nutanix cluster.
Follow the instructions in Isolating Service-Specific Traffic again to create the second network for Volumes after you create the first network.
Parameter or Setting | Description |
---|---|
Virtual IP | (Optional) Virtual IP address for the service. If specified, the IP address must be picked from the specified IP address pool. If not specified, an IP address from the specified IP address pool is selected for you. |
Client Subnet | The network (in CIDR notation) that hosts the iSCSI clients. Required If the vNIC created for the service on the CVM is not on the same network as the clients. |
Gateway | Gateway to the subnetwork that hosts the iSCSI clients. Required If you specify the client subnet. |
After you enable network segmentation for Volumes, you must manually migrate connections from existing iSCSI clients to the newly segmented network.
To migrate iSCSI connections to the segmented network, do the following:
nutanix@cvm$ acli vg.detach_external vg_name initiator_network_id=old_vm_IP
nutanix@cvm$ acli vg.attach_external vg_name initiator_network_id=new_vm_IP
Replace vg_name with the name of the volume group and old_vm_IP and new_vm_IP with the old and new client IP addresses, respectively.
To migrate existing iSCSI connections to eth0, do the following:
The settings for configuring network segmentation for disaster recovery apply to all Asynchronous, NearSync, and Metro Availability replication schedules. You can use disaster recovery with Asynchronous, NearSync, and Metro Availability replications only if both the primary site and the recovery site is configured with Network Segmentation. Before enabling or disabling the network segmentation on a host, disable all the disaster recovery replication schedules running on that host.
Parameter or Setting | Description |
---|---|
Virtual IP |
(Optional) Virtual IP address for the service. If specified, the IP address must
be picked from the specified IP address pool. If not specified, an IP address from the
specified IP address pool is selected for you.
Note:
Virtual IP address is different
from the external IP address and the data services IP address of the
cluster.
|
Gateway | Gateway to the subnetwork. |
After configuring network segmentation for disaster recovery, configure remote sites at both locations. You also need to reconfigure remote sites if you disable network segmentation.
For information about configuring remote sites, see Remote Site Configuration in the Data Protection and Recovery with Prism Element Guide.
A stretched Layer 2 network configuration allows the source and remote metro clusters to be in the same broadcast domain and communicate without a gateway.
You can enable network segmentation for disaster recovery on a stretched Layer 2 network that does not have a gateway. A stretched Layer 2 network is usually configured across the physically remote clusters such as a metro availability cluster deployment. A stretched Layer 2 network allows the source and remote clusters to be configured in the same broadcast domain without the usual gateway.
See AOS Release Notes for minimum AOS version required to configure a stretched Layer 2 network.
To configure a network segment as a stretched L2 network, do the following.
nutanix@cvm$ network_segmentation --service_network --service_name=kDR
--ip_pool=
DR-ip-pool-name
--service_vlan=
DR-vlan-id
--desc_name=
Description
--host_physical_network=
portgroup/bridge
--stretched_metro
Replace the following: (See Isolating Service-Specific Traffic for the information)
For more information about the network_segmentation command, see the Command Reference guide.
This procedure shows how to create an IP pool for backplane interfaces using the new CLI.
Network Segmentation for backplane traffic previously required an entire subnet even if a cluster has a small number of nodes. This resulted in inefficient use of IP addresses. The backplane IP pool feature enables you to provide a small IP pool instead of an entire subnet.
You can create an IP address pool using the new network_segmentation ip_pool command. The named IP pool includes one or more IP ranges. For example, an IP address from 172.16.1.100 to 172.16.1.105 can be one IP range and 172.16.1.120 to 172.16.1.125 can be another IP range within the same named IP pool and same IP subnet.
At present in the Prism interface, there is no option to create an IP address pool for backplane segmentation. However, the Prism interface allows creating small IP address pools for service-specific traffic such as Volumes and DR. You can use the new network_segmentation ip_pool CLI to create IP address pools for Backplane, Volumes, and DR as well. You can also manage (edit, delete, and update) IP address pools that are created for Backplane, Volumes and DR using the new CLI.
nutanix@cvm$ network_segmentation --ip_pool_name=IP-Pool-name --ip_pool_netmask=netmask
--ip_ranges="[(‘First-IP-Address', ‘Last-IP-Address'), (‘First-IP-Address', ‘Last-IP-Address')]"
ip_pool create
Replace:
For example:
nutanix@cvm$ network_segmentation --ip_pool_name=BackplanePool --ip_pool_netmask=255.255.255.0
--ip_ranges="[('172.16.1.100', '172.16.1.105'), ('172.16.1.120', '172.16.1.125')]"
ip_pool create
nutanix@cvm$ network_segmentation --backplane_network --ip_pool=BackplanePool --backplane_vlan=1234
--host_virtual_switch=vs1
This procedure shows how to enable Backplane Network Segmentation on a mixed hypervisor cluster.
You can enable Backplane Network Segmentation on a mixed hypervisor cluster containing:
On a cluster containing ESXi and AHV storage only nodes:
nutanix@cvm$ network_segmentation --backplane_network
--ip_pool=IP-pool-name
--backplane_vlan=VLAN-ID
[--esx_host_physical_network=ESXi-host-portgroup-name ]
[--esx_cvm_physical_network=ESXi-cvm-portgroup-name ]
[--ahv_host_physical_network=AHV-network-name ]
On a cluster containing Hyper-V and AHV storage only nodes:
nutanix@cvm$ network_segmentation --backplane_network
--ip_pool=IP-pool-name
--backplane_vlan=VLAN-ID
[--hyperv_host_physical_network=HyperV-host-network-name ]
[--ahv_host_physical_network=AHV-network-name ]
In the above command replace:
IP-Pool-name with a user defined IP pool name
VLAN-ID with a backplane VLAN ID
ESXi-host-portgroup-name with the ESXi host network name
ESXi-cvm-portgroup-name with the ESXi CVM network name
AHV-network-name with the AHV storage only node bridge name
HyperV-host-network-name with the Hyper-V switch name
For example, enable network segmentation on a mixed hypervisor containing ESXi and AHV storage only nodes:
nutanix@cvm$ network_segmentation --backplane_network
--ip_pool=BackplanePool
--backplane_vlan=1234
--esx_host_physical_network=host-pg
--esx_cvm_physical_network=cvm-pg
--ahv_host_physical_network=br1
You can update the backplane portgroups that are assigned to CVM and host nodes. Earlier, to change a portgroup that is assigned to a CVM and host, you had to disable Network Segmentation and re-enable with new portgroups.
This feature is only supported on a cluster running ESXi hypervisor.
Updating backplane portgroups helps you to:
For renaming existing VSS or VDS portgroups, you must manually perform the rename operation from the vCenter application or use the ESXi CLI and run the update operation with the new portgroup. This is to ensure the configuration stored in the Nutanix internal database is up to date.
Consider the following limitations before updating backplane portgroups:
This procedure shows how to update backplane portgroups:
You can update the backplane portgroups that are assigned to CVM and host nodes
nutanix@cvm$ network_segmentation --backplane_network
--host_physical_network=new-host-portgroup-name
--cvm_physical_network=new-cvm-portgroup-name
--update
In the above command replace:
For example:
nutanix@cvm$ network_segmentation --backplane_network
--host_physical_network=new-bp-host-pgroup
--cvm_physical_network=new-bp-cvm-pgroup
--update
For creating a port group, see Creating Port Groups on the Distributed Switch in vSphere Administration Guide for Acropolis .
This procedure shows how to create custom IP addresses for each CVM and host for network segmentation.
IP Address customization for each CVM and host feature enables you to allocate an IP address manually to a CVM and host. This helps in maintaining similarity between external and segmented IP addresses. This feature is supported while configuring backplane segmentation, service specific traffic isolation for Volumes, and service specific traffic isolation for Disaster Recovery.
You must manually define the mapping of the CVM external IP address to the new segmented IP address in a JSON file. The segmented IP addresses should belong to the same IP address pool that is created from the Prism UI or the CLI command before starting the Network Segmentation operation. You can create and save the JSON file in any CVM in the cluster.
Here is the example of JSON file format:
{ "svmips": { `cvm_external_ip1`: `cvm_backplane_ip1`, `cvm_external_ip2`: `cvm_backplane_ip2`, `cvm_external_ip3`: `cvm_backplane_ip3` }, "hostips": { `host_external_ip1`: `host_backplane_ip1`, `host_external_ip2`: `host_backplane_ip2`, `host_external_ip3`: `host_backplane_ip3` } }For example:
{ "svmips": { "10.47.240.141": "172.16.10.141", "10.47.240.142": "172.16.10.142", "10.47.240.143": "172.16.10.143" }, "hostips": { "10.47.240.137": "172.16.10.137", "10.47.240.138": "172.16.10.138", "10.47.240.139": "172.16.10.139" } }
{ "svmips": { `cvm_external_ip1`: `cvm_service_ip1`, `cvm_external_ip2`: `cvm_service_ip2`, `cvm_external_ip3`: `cvm_service_ip3` } }For example:
{ "svmips": { "10.47.240.141": "10.47.6.141", "10.47.240.142": "10.47.6.142", "10.47.240.143": "10.47.6.143" } }
nutanix@CVM:~$ network_segmentation --service_network --ip_pool=pool1 --desc_name="Volumes Seg 1" --service_name=kVolumes --host_physical_network=dv-volumes-network-1 --service_vlan=151 --ip_map_filepath=/home/nutanix/ip_map.json
This procedure shows how to enable physical backplane segmentation on a cluster containing Hyper-V node using CLI.
Physical backplane segmentation support is now available on a cluster containing Hyper-V nodes. Earlier, the support was available on AHV and ESXi nodes.
nutanix@CVM:~$ network_segmentation --backplane_network
--ip_pool=IP-Pool-name
--backplane_vlan=VLAN-ID
--host_physical_network=hyperv_host_physical_network
In the above command replace:
IP-Pool-name with a user defined IP pool name
VLAN-ID with a backplane VLAN ID
hyperv_host_physical_network with the Hyper-V switch name
For example:
nutanix@CVM:~$ network_segmentation --backplane_network
--ip_pool=BackplanePool
--backplane_vlan=1234
--host_physical_network=BackplaneSwitch
When expanding a cluster:
When you upgrade from an AOS version which does not support network segmentation to an AOS version that does, the eth2 interface (used to segregate backplane traffic) is automatically created on each CVM. However, the network remains unsegmented, and the cluster services on the CVM continue to use eth0 until you configure network segmentation.
The vNICs ntnx0, ntnx1, and so on, are not created during an upgrade to a release that supports service-specific traffic isolation. They are created when you configure traffic isolation for a service.
Do not delete the eth2 interface that is created on the Controller VMs, even if you are not using the network segmentation feature.
Ports and Protocols describes detailed port information (like protocol, service description, source, destination, and associated service) for Nutanix products and services. It includes port and protocol information for 1-click upgrades and LCM updates.
This chapter describes how to configure cluster-wide setting for log-forwarding and documenting the log fingerprint.
The Nutanix Controller VM provides a method for log integrity by using a cluster-wide setting to forward all the logs to a central log host. Due to the appliance form factor of the Controller VM, system and audit logs does not support local log retention periods as a significant increase in log traffic can be used to orchestrate a distributed denial of service attack (DDoS).
Nutanix recommends deploying a central log host in the management enclave to adhere to any compliance or internal policy requirement for log retention. In case of any system compromise, a central log host serves as a defense mechanism to preserve log integrity.
Use the nCLI to enable forwarding of system, audit, aide, and SCMA logs of all the Controller nodes in a cluster at the required log level. For more information, see Send Logs to Remote Syslog Server in the Acropolis Advanced Administration Guide
For forensic analysis, non-repudiation is established by verifying the fingerprint of the public key for the log file entry.
nutanix@cvm$ ssh-keygen -lf /<location of>/id_rsa.pub
The fingerprint is then compared to the SSH daemon log entries and forwarded to the central log host ( /home/log/secure in the Controller VM).
Prism Central provides several mechanisms and features to enforce security of your multi-cluster environment.
If you enable Identity and Access Management (IAM), see Security Management Using Identity and Access Management (Prism Central).
Prism Central supports these user authentication options:
If you do not enable Nutanix Identity and Access Management (IAM) on Prism Central, ADFS is the only supported IDP for Single Sign-on. If you enable IAM, additional IDPs are available. For more information, see Security Management Using Identity and Access Management (Prism Central) and Updating ADFS When Using SAML Authentication.
The Authentication Configuration window appears.
A set of fields is displayed. Do the following in the indicated fields:
This is a name you choose to identify this entry; it need not be the name of an actual directory.
Enter the domain name in DNS format, for example, nutanix.com .
The URL format is as follows for an LDAP entry:
ldap://
host
:
ldap_port_num
.
The host value is either the IP address or fully qualified domain
name. (In some environments, a simple domain name is sufficient.)
The default LDAP port number is 389. Nutanix also supports LDAPS
(port 636) and LDAP/S Global Catalog (ports 3268 and 3269). The
following are example configurations appropriate for each port
option:
ldap://ad_server.mycompany.com:389
ldaps://ad_server.mycompany.com:636
The value for the following variables depend on your OpenLDAP configuration.
Here are some of the possible options for the fields:
cn=username, dc=company, dc=com
A service account is created to run only a particular service or application with the credentials specified for the account. According to the requirement of the service or application, the administrator can limit access to the service account.
A service account is under the Managed Service Accounts in the Active Directory and openLDAP server. An application or service uses the service account to interact with the operating system. Enter your Active Directory and openLDAP service account credentials in this (username) and the following (password) field.
This saves the configuration and redisplays the Authentication Configuration dialog box. The configured directory now appears in the Directory List tab.
After clicking the pencil icon, the relevant fields reappear. Enter the new information in the appropriate fields and then click the Save button.
After clicking the X icon, a window prompt appears to verify the delete action; click the OK button. The entry is removed from the list.
IAM allows only one identity provider at a time, so if you already configured one, the + New IDP link does not appear.
A set of fields is displayed. Do the following in the indicated fields:
Identity providers typically provide an XML file on their website that includes metadata about that identity provider, which you can download from that site and then upload to Prism Central. Click + Import Metadata to open a search window on your local system and then select the target XML file that you downloaded previously. Click the Save button to save the configuration.
After clicking the pencil icon, the relevant fields reappear. Enter the new information in the appropriate fields and then click the Save button.
After clicking the X icon, a window prompt appears to verify the delete action; click the OK button. The entry is removed from the list.
The Client Chain Certificate is a list of certificates that includes all intermediate CA and root-CA certificates.
Client authentication allows you to securely access the Prism by exchanging a digital certificate. Prism will validate that the certificate is signed by your organization’s trusted signing certificate.
Client authentication ensures that the Nutanix cluster gets a valid certificate from the user. Normally, a one-way authentication process occurs where the server provides a certificate so the user can verify the authenticity of the server (see Installing an SSL Certificate). When client authentication is enabled, this becomes a two-way authentication where the server also verifies the authenticity of the user. A user must provide a valid certificate when accessing the console either by installing the certificate on the local machine or by providing it through a smart card reader.The Common Access Card (CAC) is a smart card about the size of a credit card, which some organizations use to access their systems. After you insert the CAC into the CAC reader connected to your system, the software in the reader prompts you to enter a PIN. After you enter a valid PIN, the software extracts your personal certificate that represents you and forwards the certificate to the server using the HTTP protocol.
Nutanix Prism verifies the certificate as follows:
OCSP is the recommended method for checking certificate revocation in client authentication. You can enable certificate revocation checking using the OSCP method through the command line interface (nCLI).
To enable certificate revocation checking using OCSP for client authentication, do the following.
ncli authconfig set-certificate-revocation set-ocsp-responder=<ocsp url>
<ocsp url>
indicates the location of the OCSP responder.
ncli authconfig get-client-authentication-config
The expected output if certificate revocation checking is enabled successfully is as follows.
Auth Config Status: true File Name: ca.cert.pem OCSP Responder URI: http://<ocsp-responder-url>
You can use the CRL certificate revocation checking method if required, as described in this section.
To enable certificate revocation checking using CRL for client authentication, do the following.
ncli authconfig set-certificate-revocation set-crl-uri=<uri 1>,<uri 2>
set-crl-refresh-interval=<refresh interval in seconds>
set-crl-expiration-interval=<expiration interval in seconds>
The Prism Central admin user is created automatically, but you can add more (locally defined) users as needed. To add, update, or delete a user account, do the following:
The Local User Management dialog box appears.
English is selected by default. You have an option to select Simplified Chinese or Japanese . If you select either of these, the cluster locale is updated for the new user. For example, if you select Simplified Chinese , the user interface is displayed in Simplified Chinese when the new user logs in.
There are three options:
This saves the configuration and redisplays the dialog box with the new user appearing in the list.
A Yes value means the login is enabled; a No value means it is disabled. A user account is enabled (login access activated) by default.
This procedure describes how to reset a local user's password on the Prism Element or the Prism Central web consoles.
To reset the password using nCLI, do the following:
Only a user with admin privileges can reset a password for other users.
nutanix@cvm$ ncli user reset-password user-name=xxxxx password=yyyyy
Replace user-name=xxxxx with the name of the user whose password is to be reset.
Replace password=yyyyy with the new password.
You can relaunch the Prism Element or the Prism Central web console and verify the new password setting.
To delete a directory-authenticated user, do the following:
Prism deletes the user account and also removes the user from any associated projects.
Repeat the same steps if the user is associated with multiple projects.
Prism Central supports role-based access control (RBAC) that you can configure to provide customized access permissions for users based on their assigned roles. The roles dashboard allows you to view information about all defined roles and the users and groups assigned to those roles.
The following built-in roles are defined by default. You can see a more detailed list of permissions for any of the built-in roles through the details view for that role (see Displaying Role Permissions). The Project Admin, Developer, Consumer, and Operator roles are available when assigning roles in a project.
Role | Privileges |
---|---|
Super Admin | Full administrator privileges |
Prism Admin | Full administrator privileges except for creating or modifying the user accounts |
Prism Viewer | View-only privileges |
Self-Service Admin |
Manages all cloud-oriented resources and services
Note:
This is the only cloud
administration role available.
|
Project Admin |
Manages cloud objects (roles, VMs, Apps, Marketplace) belonging to a
project
Note:
You can specify a role for a user when you assign a user to a
project, so individual users or groups can have different roles in the same
project.
|
Developer | Develops, troubleshoots, and tests applications in a project |
Consumer | Accesses the applications and blueprints in a project |
Operator | Accesses the applications in a project |
VPC Admin | Manages VPCs and related entities. Agnostic of the physical network/infrastructure. VPC admin of a Nutanix deployment. |
If the built-in roles are not sufficient for your needs, you can create one or more custom roles (AHV only).
To create a custom role, do the following:
The Roles page appears. See Custom Role Permissions for a list of the permissions available for each custom role option.
For example, for the VM entity, click the radio button for the desired VM permissions:
If you select Set Custom Permissions , click the Change link to display the Custom VM Permissions window, check all the permissions you want to enable, and then click the Save button. Optionally, check the Allow VM Creation box to allow this role to create VMs.
Perform the following procedure to modify or delete a custom role.
A selection of permission options are available when creating a custom role.
The following table lists the permissions you can grant when creating or modifying a custom role. When you select an option for an entity, the permissions listed for that option are granted. If you select Set custom permissions , a complete list of available permissions for that entity appears. Select the desired permissions from that list.
Entity | Option | Permissions |
---|---|---|
App (application) | No Access | (none) |
Basic Access | Abort App Runlog, Access Console VM, Action Run App, Clone VM, Create AWS VM, Create Image, Create VM, Delete AWS VM, Delete VM, Download App Runlog, Update AWS VM, Update VM, View App, View AWS VM, View VM | |
Set Custom Permissions (select from list) | Abort App Runlog, Access Console VM, Action Run App, Clone VM, Create App, Create AWS VM, Create Image, Create VM, Delete App, Delete AWS VM, Delete VM, Download App Runlog, Update App, Update AWS VM, Update VM, View App, View AWS VM, View VM | |
VM Recovery Point | No Access | (none) |
View Only | View VM Recovery Point | |
Full Access | Delete VM Recovery Point, Restore VM Recovery Point, Snapshot VM, Update VM Recovery Point, View VM Recovery Point, Allow VM Recovery Point creation | |
Set Custom Permissions (Change) | Abort App Runlog, Access Console VM, Action Run App, Clone VM, Create App, Create AWS VM, Create Image, Create VM, Delete App, Delete AWS VM, Delete VM, Download App Runlog, Update App, Update AWS VM, Update VM, View App, View AWS VM, View VM | |
Note:
You can assign permissions for the VM Recovery Point entity to users or user groups in the following two ways.
Tip:
When a recovery point is created, it is associated with the
same category as the VM.
|
||
VM | No Access | (none) |
View Access | Access Console VM, View VM | |
Basic Access | Access Console VM, Update VM Power State, View VM | |
Edit Access | Access Console VM, Update VM, View Subnet, View VM | |
Full Access | Access Console VM, Clone VM, Create VM, Delete VM, Export VM, Update VM, Update VM Boot Config, Update VM CPU, Update VM Categories, Update VM Description, Update VM Disk List, Update VM GPU List, Update VM Memory, Update VM NIC List, Update VM Owner, Update VM Power State, Update VM Project, View Cluster, View Subnet, View VM. | |
Set Custom Permissions (select from list) | Access Console VM, Clone VM, Create VM, Delete VM, Update VM, Update VM Boot Config, Update VM CPU, Update VM Categories, Update VM Disk List, Update VM GPU List, Update VM Memory, Update VM NIC List, Update VM Owner, Update VM Power State, Update VM Project, View Cluster, View Subnet, View VM. | |
Granular permissions (applicable if IAM is enabled, see Granular Role-Based Access Control (RBAC)) for details. Allow VM Power Off, Allow VM Power On, Allow VM Reboot, Allow VM Reset, Expand VM Disk Size, Mount VM CDROM, Unmount VM CDROM, Update VM Memory Overcommit, Update VM NGT Config, Update VM Power State Mechanism |
||
Allow VM creation (additional option) | (n/a) | |
Blueprint | No Access | (none) |
View Access | View Account, View AWS AZ, View AWS Elastic IP, View AWS Image, View AWS Key Pair, View AWS Machine Type, View AWS Region, View AWS Role, View AWS Security Group, View AWS Subnet, View AWS Volume Type, View AWS VPC, View Blueprint, View Cluster, View Image, View Project, View Subnet | |
Basic Access | Access Console VM, Clone VM, Create App,Create Image, Create VM, Delete VM, Launch Blueprint, Update VM, View Account, View App, View AWS AZ, View AWS Elastic IP, View AWS Image, View AWS Key Pair, View AWS Machine Type, View AWS Region, View AWS Role, View AWS Security Group, View AWS Subnet, View AWS Volume Type, View AWS VPC, View Blueprint, View Cluster, View Image, View Project, View Subnet, View VM | |
Full Access | Access Console VM, Clone Blueprint, Clone VM, Create App, Create Blueprint, Create Image, Create VM, Delete Blueprint, Delete VM, Download Blueprint, Export Blueprint, Import Blueprint, Launch Blueprint, Render Blueprint, Update Blueprint, Update VM, Upload Blueprint, View Account, View App, View AWS AZ, View AWS Elastic IP, View AWS Image, View AWS Key Pair, View AWS Machine Type, View AWS Region, View AWS Role, View AWS Security Group, View AWS Subnet, View AWS Volume Type, View AWS VPC, View Blueprint, View Cluster, View Image, View Project, View Subnet, View VM | |
Set Custom Permissions (select from list) | Access Console VM, Clone VM, Create App, Create Blueprint, Create Image, Create VM, Delete Blueprint, Delete VM, Download Blueprint, Export Blueprint, Import Blueprint, Launch Blueprint, Render Blueprint, Update Blueprint, Update VM, Upload Blueprint, View Account, View App, View AWS AZ, View AWS Elastic IP, View AWS Image, View AWS Key Pair, View AWS Machine Type, View AWS Region, View AWS Role, View AWS Security Group, View AWS Subnet, View AWS Volume Type, View AWS VPC, View Blueprint, View Cluster, View Image, View Project, View Subnet, View VM | |
Marketplace Item | No Access | (none) |
View marketplace and published blueprints | View Marketplace Item | |
View marketplace and publish new blueprints | Update Marketplace Item, View Marketplace Item | |
Full Access | Config Marketplace Item, Create Marketplace Item, Delete Marketplace Item, Render Marketplace Item, Update Marketplace Item, View Marketplace Item | |
Set Custom Permissions (select from list) | Config Marketplace Item, Create Marketplace Item, Delete Marketplace Item, Render Marketplace Item, Update Marketplace Item, View Marketplace Item | |
Report | No Access | (none) |
View Only | Notify Report Instance, View Common Report Config, View Report Config, View Report Instance | |
Full Access | Create Common Report Config, Create Report Config, Create Report Instance, Delete Common Report Config, Delete Report Config, Delete Report Instance, Notify Report Instance, Run Report Config, Share Report Config, Share Report Instance, Update Common Report Config, Update Report Config, View Common Report Config, View Report Config, View Report Instance, View User, View User Group | |
Cluster | No Access | (none) |
View Access | View Cluster | |
Update Access | Update Cluster | |
Full Access | Update Cluster, View Cluster | |
Subnet | No Access | (none) |
View Access | View Subnet, View Virtual Switch | |
Image | No Access | (none) |
View Only | View Image | |
Set Custom Permissions (select from list) | Copy Image Remote, Create Image, Delete Image, Migrate Image, Update Image, View Image | |
OVA | No Access | (none) |
View Access | View OVA | |
Full Access | View OVA, Create OVA, Update OVA and Delete OVA | |
Set custom permissions Change | View OVA, Create OVA, Update OVA and Delete OVA | |
Object Store | No Access | (none) |
View Access | View Object Store | |
Full Access | View Object Store, Create Object Store, Update Object Store and Delete Object Store | |
Set custom permissions Change | View Object Store, Create Object Store, Update Object Store and Delete Object Store | |
Analysis Session | No Access | (none) |
View Only | View Analysis Session | |
Full Access | Create Analysis Session, Delete Analysis Session, Share Analysis Session, Update Analysis Session, View Analysis Session, View User and View User Group | |
Dashboard | No Access | (none) |
View Only | View Dashboard | |
Full Access | Create Dashboard, Delete Dashboard, Share Dashboard, Update Dashboard, View Dashboard, View User and View User Group | |
Capacity Scenario | No Access | (none) |
View Only | View Capacity Scenario | |
Full Access | Create Whatif, Delete Whatif, Share Whatif, Update Whatif, View Whatif, View User and View User Group |
The following table describe the permissions.
Permission | Description | Assigned Implicilty By |
---|---|---|
Create App | Allows to create an application. | |
Delete App | Allows to delete an application. | |
View App | Allows to view an application. | |
Action Run App | Allows to run action on an application. | |
Download App Runlog | Allows to download an application runlog. | |
Abort App Runlog | Allows to abort an application runlog. | |
Access Console VM | Allows to access the console of a virtual machine. | |
Create VM | Allows to create a virtual machine. | |
View VM | Allows to view a virtual machine. | |
Clone VM | Allows to clone a virtual machine. | |
Delete VM | Allows to delete a virtual machine. | |
Export VM | Allows to export a virtual machine | |
Snapshot VM | Allows to snapshot a virtual machine. | |
View VM Recovery Point | Allows to view a vm_recovery_point. | |
Update VM Recovery Point | Allows to update a vm_recovery_point. | |
Delete VM Recovery Point | Allows to delete a vm_recovery_point. | |
Restore VM Recovery Point | Allows to restore a vm_recovery_point. | |
Update VM | Allows to update a virtual machine. | |
Update VM Boot Config | Allows to update a virtual machine's boot configuration. | Update VM |
Update VM CPU | Allows to update a virtual machine's CPU configuration. | Update VM |
Update VM Categories | Allows to update a virtual machine's categories. | Update VM |
Update VM Description | Allows to update a virtual machine's description. | Update VM |
Update VM GPU List | Allows to update a virtual machine's GPUs. | Update VM |
Update VM NIC List | Allows to update a virtual machine's NICs. | Update VM |
Update VM Owner | Allows to update a virtual machine's owner. | Update VM |
Update VM Project | Allows to update a virtual machine's project. | Update VM |
Update VM NGT Config | Allows updates to a virtual machine's Nutanix Guest Tools configuration. | Update VM |
Update VM Power State | Allows updates to a virtual machine's power state. | Update VM |
Update VM Disk List | Allows to update a virtual machine's disks. | Update VM |
Update VM Memory | Allows to update a virtual machine's memory configuration. | Update VM |
Update VM Power State Mechanism | Allows updates to a virtual machine's power state mechanism. | Update VM or Update VM Power State |
Allow VM Power Off | Allows power off and shutdown operations on a virtual machine. | Update VM or Update VM Power State |
Allow VM Power On | Allows power on operation on a virtual machine. | Update VM or Update VM Power State |
Allow VM Reboot | Allows reboot operation on a virtual machine. | Update VM or Update VM Power State |
Expand VM Disk Size | Allows to expand a virtual machine's disk size. | Update VM or Update VM Disk List |
Mount VM CDROM | Allows to mount an ISO to virtual machine's CDROM. | Update VM or Update VM Disk List |
Unmount VM CDROM | Allows to unmount ISO from virtual machine's CDROM. | Update VM or Update VM Disk List |
Update VM Memory Overcommit | Allows to update a virtual machine's memory overcommit configuration. | Update VM or Update VM Memory |
Allow VM Reset | Allows reset (hard reboot) operation on a virtual machine. | Update VM, Update VM Power State, or Allow VM Reboot |
View Cluster | Allows to view a cluster. | |
Update Cluster | Allows to update a cluster. | |
Create Image | Allows to create an image. | |
View Image | Allows to view a image. | |
Copy Image Remote | Allows to copy an image from local PC to remote PC. | |
Delete Image | Allows to delete an image. | |
Migrate Image | Allows to migrate an image from PE to PC. | |
Update Image | Allows to update a image. | |
Create Image Placement Policy | Allows to create an image placement policy. | |
View Image Placement Policy | Allows to view an image placement policy. | |
Delete Image Placement Policy | Allows to delete an image placement policy. | |
Update Image Placement Policy | Allows to update an image placement policy. | |
Create AWS VM | Allows to create an AWS virtual machine. | |
View AWS VM | Allows to view an AWS virtual machine. | |
Update AWS VM | Allows to update an AWS virtual machine. | |
Delete AWS VM | Allows to delete an AWS virtual machine. | |
View AWS AZ | Allows to view AWS Availability Zones. | |
View AWS Elastic IP | Allows to view an AWS Elastic IP. | |
View AWS Image | Allows to view an AWS image. | |
View AWS Key Pair | Allows to view AWS keypairs. | |
View AWS Machine Type | Allows to view AWS machine types. | |
View AWS Region | Allows to view AWS regions. | |
View AWS Role | Allows to view AWS roles. | |
View AWS Security Group | Allows to view an AWS security group. | |
View AWS Subnet | Allows to view an AWS subnet. | |
View AWS Volume Type | Allows to view AWS volume types. | |
View AWS VPC | Allows to view an AWS VPC. | |
Create Subnet | Allows to create a subnet. | |
View Subnet | Allows to view a subnet. | |
Update Subnet | Allows to update a subnet. | |
Delete Subnet | Allows to delete a subnet. | |
Create Blueprint | Allows to create the blueprint of an application. | |
View Blueprint | Allows to view the blueprint of an application. | |
Launch Blueprint | Allows to launch the blueprint of an application. | |
Clone Blueprint | Allows to clone the blueprint of an application. | |
Delete Blueprint | Allows to delete the blueprint of an application. | |
Download Blueprint | Allows to download the blueprint of an application. | |
Export Blueprint | Allows to export the blueprint of an application. | |
Import Blueprint | Allows to import the blueprint of an application. | |
Render Blueprint | Allows to render the blueprint of an application. | |
Update Blueprint | Allows to update the blueprint of an application. | |
Upload Blueprint | Allows to upload the blueprint of an application. | |
Create OVA | Allows to create an OVA. | |
View OVA | Allows to view an OVA. | |
Update OVA | Allows to update an OVA. | |
Delete OVA | Allows to delete an OVA. | |
Create Marketplace Item | Allows to create a marketplace item. | |
View Marketplace Item | Allows to view a marketplace item. | |
Update Marketplace Item | Allows to update a marketplace item. | |
Config Marketplace Item | Allows to configure a marketplace item. | |
Render Marketplace Item | Allows to render a marketplace item. | |
Delete Marketplace Item | Allows to delete a marketplace item. | |
Create Report Config | Allows to create a report_config. | |
View Report Config | Allows to view a report_config. | |
Run Report Config | Allows to run a report_config. | |
Share Report Config | Allows to share a report_config. | |
Update Report Config | Allows to update a report_config. | |
Delete Report Config | Allows to delete a report_config. | |
Create Common Report Config | Allows to create a common report_config. | |
View Common Report Config | Allows to view a common report_config. | |
Update Common Report Config | Allows to update a common report_config. | |
Delete Common Report Config | Allows to delete a common report_config. | |
Create Report Instance | Allows to create a report_instance. | |
View Report Instance | Allows to view a report_instance. | |
Notify Report Instance | Allows to notify a report_instance. | |
Notify Report Instance | Allows to notify a report_instance. | |
Share Report Instance | Allows to share a report_instance. | |
Delete Report Instance | Allows to delete a report_instance. | |
View Account | Allows to view an account. | |
View Project | Allows to view a project. | |
View User | Allows to view a user. | |
View User Group | Allows to view a user group. | |
View Name Category | Allows to view a category's name. | |
View Value Category | Allows to view a category's value. | |
View Virtual Switch | Allows to view a virtual switch. |
By default, only a self service admin or a cluster admin can view and restore the recovery points. However, a self service admin or cluster admin can grant permission to the project user to restore the VM from a recovery point.
To grant restore Permission to a project user, do the following:
After user authentication is configured (see Configuring Authentication), the users or the authorized directories are not assigned the permissions by default. The required permissions must be explicitly assigned to users, authorized directories, or organizational units using role mapping.
You can refine the authentication process by assigning a role with associated permissions to users, groups, and organizational units. This procedure allows you to map and assign users to the predefined roles in Prism Central such as, User Admin , Cluster Admin , and Viewer . To assign roles, do the following:
The Role Mapping window appears.
The Create Role Mapping window appears. Enter the required information in the following fields.
LDAP-based authentication
For AD
Enter the actual names used by the organizational units (it applies to all users and groups in those OUs), groups (all users in those groups), or users (each named user) used in LDAP in the Values field.
For example, entering sr_dev_1,staff_dev_1 in the Values field when the LDAP type is Group and the role is Cluster Admin, implies that all users in the sr_dev_1 and staff_dev_1 groups are assigned the administrative role for the cluster.
Do not include the domain name in the value. For example, enter all_dev , and not all_dev@<domain_name> . However, when users log in to Cluster Admin, include the domain along with the username.
User : Enter the sAMAccountName or userPrincipalName in the values field.
Group : Enter common name (cn) or name.
OU : Enter name.
For OpenLDAP
User : Use the username attribute (that was configured while adding the directory) value.
Group : Use the group name attribute (cn) value.
OU : Use the OU attribute (ou) value.
SAML-based authentication:
You must configure the NameID attribute in the identity provider. You can enter the NameID returned in the SAML response in the Values field.
For SAML, only User type is supported. Other types such as, Group and OU, are not supported.
If you enable Identity and Access Management, see Security Management Using Identity and Access Management (Prism Central)
The role mapping configurations are saved, and the new role is listed in the Role Mapping window.
You can create a role map for each authorized directory. You can also create multiple role maps that apply to a single directory. When there are multiple maps for a directory, the most specific rule for a user applies.
For example, adding a Group map set to Cluster Admin and a User map set to Viewer for a few specific users in that group means all users in the group have administrator permission except those few specific users who have only viewing permission.
Granular Role-Based Access Control (RBAC) allows you to assign fine-grained VM operation permissions to users based on your specific requirements. This feature enables you to create custom roles with finer permission entities like "Allow VM Power On" or "Allow VM Power Off" as compared to the broader permissions categories like "Update VM".
The procedure to configure Granular RBAC to users is similar to the procedure outlined in Creating a Custom Role. For the complete list of available permissions, see Custom Role Permissions.
Cluster role-based access control (RBAC) feature enables a super-admin user to provide Prism Admin and Prism Viewer roles access to one or more clusters registered with Prism Central. A user with Prism Central admin or viewer role is able to view and act on the entities like VM, host, container, VM recovery points, and recovery plans from the allowed clusters.
Cluster RBAC is currently supported on an on-prem Prism Central instance hosted in a Prism Element cluster running AHV or ESXi. After you enable the Micro Services Infrastructure feature on Prism Central, the Cluster RBAC feature is then automatically enabled.
This feature supports clusters that are hosted on AHV and VMware ESXi.
To configure Cluster RBAC in Prism Central for users or user groups, do the following.
You will add users or user groups and assign clusters to the new role in the upcoming steps.
Typing few letters in the search field displays a list of users from which you can select, and you can add multiple user names in this field.
Cluster role-based access control (RBAC) for Volume Group feature enables a super-admin user to provide Prism Admin and Prism Viewer roles access to one or more clusters registered with Prism Central. A user with Prism Admin role can view and update the entities like volume groups, virtual disks, and storage containers from the allowed clusters. However, a user with Prism Viewer role can only view the entities.
Cluster RBAC is currently supported on an on-prem Prism Central instance hosted in a Prism Element cluster running AHV. After you enable the Micro Services Infrastructure feature on Prism Central, the Cluster RBAC feature is then automatically enabled.
Cluster RBAC for Volume Group feature is supported on AHV and ESXi clusters.
Role | Privileges |
---|---|
Prism Admin | Full administrator privileges except for creating or modifying the user accounts |
Prism Viewer | View-only privileges |
To configure Cluster RBAC for Volume Group in Prism Central for users or user groups, do the following.
You will add users or user groups and assign clusters to the Prism Admin or Prism Viewer role in the upcoming steps.
In addition to configuring basic role maps (see Configuring Role Mapping), you can configure more precise role assignments (AHV only). To assign a role to selected users or groups that applies just to a specified set of entities, do the following:
You are adding users or user groups and assigning entities to the new role in the next steps.
Typing few letters in the search field displays a list of users from which you can select, and you can add multiple user names in this field.
This table lists the available entities for each role:
Role | Entities |
---|---|
Consumer | AHV VM, Image, Image Placement Policy, OVA, Subnets: VLAN |
Developer | AHV VM, Cluster, Image, Image Placement Policy, OVA, Subnets:VLAN |
Operator | AHV VM, Subnets:VLAN |
Prism Admin | Individual entity (one or more clusters), All Clusters |
Prism Viewer | Individual entity (one or more clusters), All Clusters |
Custom role (User defined role) | Individual entity, In Category (only AHV VMs) |
This table shows the description of each entity:
Entity | Description |
---|---|
AHV VM | Allows you to manage VMs including create and edit permission |
Image | Allows you to access and manage image details |
Image Placement Policy | Allows you to access and manage image placement policy details |
OVA | Allows you to view and manage OVA details |
Subnets: VLAN | Allows you to view subnet details |
Cluster | Allows you to view and manage details of assigned clusters (AHV and ESXi clusters) |
All Clusters | Allows you to view and manage details of all clusters |
VM Recovery Points | Allows you to perform recovery operations with recovery points. |
Recovery Plan (Single PC only)
|
Allows you to view, validate, and test recovery plans. Also allows you to clean up VMs created after recovery plan test. |
Individual entity | Allows you to view and manage individual entities such as AHV VM, Clusters, and Subnets:VLAN |
Do the following to display the privileges associated with a role.
For example, if you click the Consumer role, the details page for that role appears, and you can view all the privileges associated with the Consumer role.
A dialog box appears to verify the action; click the OK button. This generates and applies a new RSA 2048-bit self-signed certificate for Prism Central.
$ cat signer.crt inter.crt root.crt > server.cert
Order is essential. The total chain should begin with the
certificate of the signer and end with the root CA certificate as
the final entry.
After generating or uploading the new certificate, the interface gateway restarts. If the certificate and credentials are valid, the interface gateway uses the new certificate immediately, which means your browser session (and all other open browser sessions) will be invalid until you reload the page and accept the new certificate. If anything is wrong with the certificate (such as a corrupted file or wrong certificate type), the new certificate is discarded, and the system reverts back to the original default certificate provided by Nutanix.
Nutanix supports key-based SSH access to Prism Central. Enabling key-based SSH access ensures that password authentication is disabled and only the keys you have provided can be used to access the Prism Central (only for nutanix/admin users). Thus making the Prism Central more secure.
You can create a key pair (or multiple key pairs) and add the public keys to enable key-based SSH access. However, when site security requirements do not allow such access, you can remove all public keys to prevent SSH access.
To control key-based SSH access to Prism Central, do the following:
The Cluster Lockdown dialog box appears. Enabled public keys (if any) are listed in this window.
Remote login access is enabled by default.
There are no public keys available by default, but you can add any number of public keys.
Nutanix Flow includes a policy-driven security framework that inspects traffic within the data center. For more information, see the Flow Microsegmentation Guide.
Data-in-Transit Encryption allows you to encrypt service level traffic between the cluster nodes. Data-in-Transit Encryption, along with Data-at-Rest Encryption, protects the entire life cycle of data and is an essential countermeasure for unauthorized access of critical data.
Data-in-Transit Encryption allows you to encrypt service level traffic between the cluster nodes. To enable Data-in-Transit Encryption, do the following.
You can disable Data-in-Transit Encryption after you have enabled it. To disable Data-in-Transit Encryption, do the following.
For enhanced security, Prism Central and Prim Element locks out the default 'admin' account for a period of 15 minutes after five unsuccessful login attempts. Once the account is locked out, the following message is displayed at the login screen.
Account locked due to too many failed attempts
You can attempt entering the password after the 15 minutes lockout period, or contact Nutanix Support in case you have forgotten your password.
Enabled and administered from Prism Central, Identity and Access Management (IAM) is an authentication and authorization feature that uses attribute-based access control (ABAC). It is disabled by default. This section describes Prism Central IAM prerequisites, enablement, and SAML-based standard-compliant identity provider (IDP) configuration.
After you enable the Micro Services Infrastructure (CMSP) on Prism Central, IAM is automatically enabled. You can configure a wider selection of identity providers, including Security Assertion Markup Language (SAML) based identity providers. The Prism Central web console presents an updated sign-on/authentication page.
The enable process migrates existing directory, identity provider, and user configurations, including Common Access Card (CAC) client authentication configurations. After enabling IAM, if you want to enable a client to authenticate by using certificates, you must also enable CAC authentication. For more information, see Identity and Access Management Prerequisites and Considerations. Also, see the Identity and Access Management Software Support topic in the Prism Central Release Notes for specific support requirements.
The work flows for creating authentication configurations and providing user and role access described in Configuring Authentication) are the same whether IAM is enabled or not.
Based on the Kubernetes open source platform, IAM uses independent pods for authentication (AuthN), authorization (AuthZ), and IAM data storage and replication.
Without enabling CMSP/IAM on Prism Central, Active Directory Federation Services (ADFS) is the only supported IDP for Single Sign-on. After you enable it, IAM supports more IDPs. Nutanix has tested these IDPs when SAML IDP authentication is configured for Prism Central.
Users can log on from the Prism Central web console only. IDP-initiated authentication work flows are not supported. That is, logging on or signing on from an IDP web page or site is not supported.
After enabling IAM, the Prism Central login page is updated depending on your configuration. For example, if you have configured local user account and Active Directory authentication, this default page appears for directory users as follows. To log in as a local user, click the Log In with your Nutanix Local Account link.
In another example, if you have configured SAML authentication instances named Shibboleth and AD2, Prism Central displays this page.
Make sure you meet the requirements listed before you enable the microservices infrastructure, which enables IAM.
For specific minimum software support and requirements for IAM, see the Prism Central release notes.
For microservices infrastructure requirements, see Enabling Microservices Infrastructure in the Prism Central Guide .
Ensure that you have configured the following cluster settings. For more information, see Modifying Cluster Details in Prism Web Console Guide .
The Prism Central web console shows a new log in page as shown below. This confirms that IAM is enabled.
Depending on your existing authentication configuration, the log in page might look different.
Also, you can go to Settings > Prism Central Management page to verify if Prism Central on Microservices Infrastructure (CMSP) is enabled. CMSP and IAM enablement happen together.
Prism Central supports user authentication with these authentication options:
With IAM, in addition to ADFS, other IDPs are available. For more information, see Security Management Using Identity and Access Management (Prism Central) and Updating ADFS When Using SAML Authentication.
Client authentication allows you to securely access the Prism by exchanging a digital certificate. Prism validates if the certificate is signed by the trusted signing certificate of your organization.
Client authentication ensures that the Nutanix cluster gets a valid certificate from the user. Normally, a one-way authentication process occurs where the server provides a certificate so the user can verify the authenticity of the server. When client authentication is enabled, this process becomes a two-way authentication where the server also verifies the authenticity of the user. A user must provide a valid certificate when accessing the console either by installing the certificate on the local machine, or by providing it through a smart card reader.
The Common Access Card (CAC) is a smart card about the size of a credit card, which some organizations use to access their systems. After you insert the CAC into the CAC reader connected to your system, the software in the reader prompts you to enter a PIN. After you enter a valid PIN, the software extracts your personal certificate that represents you and forwards the certificate to the server using the HTTP protocol.
Nutanix Prism verifies the certificate as follows:
With Nutanix IAM, to maintain compatibility with new and existing IDP/SAML authentication configurations, update your Active Directory Federated Services (ADFS) configuration - specifically the Prism Central Relying Party Trust settings. For these configurations, you are using SAML as the open standard for exchanging authentication and authorization data between ADFS as the identity provider (IDP) and Prism Central as the service provider. See the Microsoft Active Directory Federation Services documentation for details.
In your ADFS Server configuration, update the Prism Central Relying Party Trust settings by creating claim rules to send the selected LDAP attribute as the SAML NameID in email address format. For example, map the User Principal Name to NameID in the SAML assertion claims.
As an example, this topic uses UPN as the LDAP attribute to map. You could also map the email address attribute to NameID. See the Microsoft Active Directory Federation Services documentation for details about creating a claims aware Relying Party Trust and claims rules.
IAM allows only one identity provider at a time, so if you already configured one, the + New IDP link does not appear.
A set of fields is displayed. Do the following in the indicated fields:
Identity providers typically provide an XML file on their website that includes metadata about that identity provider, which you can download from that site and then upload to Prism Central. Click + Import Metadata to open a search window on your local system and then select the target XML file that you downloaded previously. Click the Save button to save the configuration.
After clicking the pencil icon, the relevant fields reappear. Enter the new information in the appropriate fields and then click the Save button.
After clicking the X icon, a window prompt appears to verify the delete action; click the OK button. The entry is removed from the list.
Prism Central regularly backs up the Identity and Access Management (IAM) database, typically every 15 minutes. This procedure describes how to restore a specific time-stamped IAM backup instance.
nutanix@pcvm$ sh /home/nutanix/cluster/bin/restore_iamv2.sh
Enter the Backup No. from the backup list (default is 1):
You Selected the Backup No 1 Stopping the IAM services Waiting to stop all the IAM services and to start the restore process Restore Process Started Restore Process Completed ... Restarting the IAM services IAM Services Restarted Successfully
After the script runs successfully, the command shell prompt returns and your IAM configuration is restored.
As an admin user, you can access a text file that lists all of the open source software running on a cluster.
Perform the following procedure to access a list of the open source software running on a cluster.
less /usr/local/nutanix/license/blackduck_version_license.txt
Last updated: 2022-10-31
Beam is a Cost Governance SaaS product offering by Nutanix that helps cloud-focused organizations to gain visibility into cloud spend across multiple cloud environments.
The following are a few of the key functionalities that help you with the cost management:
Beam provides the following capabilities:
Beam application enables you to take control of your cloud spend on the Nutanix on-premises resources. The application supports Nutanix enterprise cloud deployments to extend cost visibility capability into the multi-cloud cost governance portfolio.
Beam provides cost visibility into the on-premises clusters and resources. The costs are modeled to reflect the true cost of owning an on-prem infrastructure including Nutanix hardware, software, facilities, administration, and so on. The holistic cost visibility helps you to understand and control the overall cost associated with the Nutanix private cloud environment.
Nutanix cost management supports the following features.
The application obtains the purchase and consumption data from Nutanix sales databases, MyNutanix Portal account, and Pulse .
Apart from providing cost visibility and optimization recommendations for individual clouds, the application also provides cost visibility and optimization recommendations for entities with multiple clouds (Nutanix, AWS, Azure, and GCP). You can configure two types of multicloud entities - Financial and Scope.
Financial is a hierarchical structure comprising of Business units and Cost Centers used for Chargeback. Chargeback allows you to group cloud resources across multiple clouds (Nutanix, AWS, Azure, and GCP) within Cost Centers and Business units. By design, a cloud resource cannot be part of different cost centers or business units. For more information, see Chargeback.
Scope is a custom resource group with resources across multiple clouds (Nutanix, AWS, Azure, and GCP). Scopes are useful in providing visibility to logical resource groups like applications, project teams, cross-functional initiatives, and so on. Hence, by design, a cloud resource can be part of multiple Scopes. For more information, see Scopes.
This section provides information on the layout and navigation of the Beam console.
The Beam console provides a graphical user interface to manage Beam settings and features.
When you log on to the Beam for the first time, the View Selector pop-up appears. The View Selector pop-up allows you to search for an account by typing the account name in the search box or navigate and select a cloud account, business unit or cost center, and custom scope.
The Dashboard is the welcome page that appears after logging and selecting a view in Beam.
For the subsequent logins, the last visited page for the last selected view (account, business unit or cost center, and scope) appears. You can click View in the top-right corner to open the View Selector pop-up and select a different view.
View | Description |
---|---|
All Clouds | Select this view to get total cost visibility for AWS-, Azure-, GCP-, and Nutanix-accounts for which you have access. |
Nutanix | Allows you to select Nutanix-accounts. |
Financial | Allows you to select business units or cost centers you created for the chargeback. |
Scopes | Allows you to select the custom scopes you created. |
The Beam Console screens are divided into different sections, as described in the following image and table.
Menu | Description |
---|---|
Hamburger icon | Displays a menu of features on the left. When the main menu is displayed, the hamburger icon changes to an X button. Click the X button to hide the menu. |
Alerts | The Alert option allows you to see system-generated alert notifications. Click the bell icon from the main menu bar to view alerts. Click See More to view the complete list of notification. |
User Menu |
The user drop-down menu has the following options.
|
Help Menu |
You can click the question mark icon in the top-right corner of
the Console to view the following:
|
Widgets Section | The widgets section displays the informational and actionable widgets corresponding to the feature that you have selected from the main menu. For instance, the Dashboard page display widgets like Spend Overview , Spend Analysis , Spend Overview - TCO Cost Heads , and Spend Overview - Virtual Machines . |
View option | Click View in the top-right corner to open the View Selector pop-up. |
Clicking the Hamburger icon displays a menu of features on the left. When the main menu is displayed, the Hamburger icon changes to an X button. Click the X button to hide the menu.
The following table describes each feature in the main menu.
Feature | Description |
---|---|
Dashboard | Displays the Dashboard page (see Dashboard (Nutanix)). |
Analyze |
Displays the
Analyze
page (see Cost Analysis (Nutanix)).
Analyze allows you to track cost consumption across all your cloud resources at both the aggregate and granular level. You can drill down cost further based on your services, accounts, or application workload. |
Chargeback |
Displays the
Chargeback
page (see Chargeback).
Enables the financial control of your cloud spends by providing the ability to allocate cloud resources to departments based on definitions. It provides a consolidated view across all your cloud accounts in a single pane for Finance views. |
Budget |
Displays the
Budget
page (see Budget).
A budget allows you to centralize the budget at the business unit, cost center, or scope levels to ensure that your consumption is within the budget that you have defined. |
Reports |
Displays the
Reports
page (see Cost Reports).
Beam generates reports to track cost consumption across all your cloud accounts at both aggregate and granular levels, like a functional unit, workloads, and applications. The reports are generated automatically and are available to view, download, or share from the Beam console. |
Configure menu |
The Configure menu allows you to do the following operations.
|
Beam allows you to do the following administrative controls.
You can add and manage users using the Beam console.
This section helps you to understand all the different roles in Beam and when you would use each.
When a user creates a Beam Subscription , a tenant is triggered and the user becomes the owner of that tenant. An owner is shown as Admin (Owner) in the User Management page. The owner role has the following attributes.
You can't create an owner role in Beam. However, you can create as many as three Beam owners from My Nutanix. Only My Nutanix Account Administrators have the necessary permissions to create Beam owners. For more information on My Nutanix user management, see Cloud Services Administration Guide .
An administrator is shown as Admin in the User Management page. The administrator role has the following attributes.
A user role is created by granting read-only or read & write permission for selected accounts.
Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution that you can use for implementing single sign-on in Beam. To integrate ADFS with Beam, log on to your MyNutanix account, and perform the integration. See SAML Authentication for details. To log on to your Beam account using ADFS, see Logging into Xi Cloud Services as an SAML User .
If you log on to Beam through ADFS, you can get access to Nutanix Support only if your MyNutanix account was used to add your Beam user account. However, if your Beam user account was not added using your MyNutanix account, you do not get access to support.
Beam is a multi-cloud cost governance SaaS product that provides a free, full-featured, 14-day trial period. During the free trial period, you can configure your Nutanix On-premises and public cloud accounts (AWS, Azure, and GCP) in Beam to evaluate the features. It takes about 15 minutes to configure your cloud accounts in Beam.
You can add your Nutanix account in Beam application. The application allows you to track your cloud expenses, optimize your cloud cost, and achieve visibility into your spend.
To add your Nutanix account in Beam, do the following.
Beam Gov(US) is an isolated instance running in AWS GovCloud (US) region to cater specific regulatory compliance requirements of the US government agencies at federal, state, and local levels, government contractors, educational institutes, and other US customers who run sensitive workload in AWS GovCloud and Azure Government Cloud, and want to bring Cost Governance for their cloud infrastructure, gain visibility, optimize and control their spend. Beam Gov(US) provides a single plane consolidated view for Cost Governance.
Contact the sales team expressing an interest in using Beam Gov(US).
The request is forwarded for verification to the Nutanix GovCloud Security team. As part of the verification, you will receive a form through DocuSign that you must fill and send back.
Once the request passes through the verification, Customer Service initiates the account creation process, and the primary user is notified with login details through an email. The email contains verification link, upon verifying email, the user can login to the Beam Gov(US).
You can add and manage users for GovCloud using the Beam console.
To go to the User Management page, click the Hamburger icon in the top-left corner to display the main menu. Then, click Configure > User Management . To add a user, see Adding a Beam User.
In the case of AWS user management, the user may have access to the commercial account but no access to the GovCloud account linked to the commercial account. To give AWS GovCloud account access to a user, you must select the GovCloud account linked to the commercial account.
You can reset your password and enable or disable MFA from the Profile page in the Beam console.
To go to the Profile page, click the user drop-down menu on the top-right corner and select Profile .
To change your password, click the Change Password link.
To enable MFA, do the following.
The Enable Multi-factor Authentication page appears.
The virtual MFA application starts generating codes.
To disable MFA, click the Disable MFA link in the Profile page.
In the case your MFA device is lost or not accessible, click Login via OTP (for lost MFA)? link. Beam sends an OTP to your registered email id. Enter the OTP to login to Beam.
The following section describes how to configure the single sign-on feature for Beam Gov(US).
To configure the single sign-on feature, do the following.
A success message appears, displaying that the single sign-on is successfully configured.
You are redirected to your organization’s single sign-on application page.
Enter your credentials and login to Beam Gov(US).
Beam allows you to define configuration settings for your cloud cost data. Cost Configuration is a set of rules that allow you to update cost inputs manually, and also select cost presentation options, allocation model options, and reporting rules that define how the cost of cloud resources get reported in Beam.
Beam supports only Pulse enabled clusters. Any cluster with Pulse not enabled is considered as not onboard for Beam and is not shown in the Cluster tab. If pulse is not available due to some reason for a particular day then the cluster cost incurred for that day is known as Unmetered cluster cost
You can configure the cost for Nutanix Product Portfolio, Cluster, and Resources.
To go to the Cost Configuration page, click the Hamburger icon in the top-left corner to display the main menu. Then, click Configure > Nutanix Cost Configuration .
The Product Portfolio tab is a comprehensive repository of all the Nutanix products purchased to date, their capacity, and assumed market prices.
In the top-right corner of the Product Portfolio tab, select the depreciation period from the Depreciation Schedule drop-down list and click Apply . The Hardware costs and any perpetual licenses are amortized based on the depreciation period you select. This impacts the amortized cost calculations within the product.
You can filter the products according to the product type (software or hardware) and product status (active or expired).
You can reconfigure the system assumed cost of your purchased Nutanix products or licenses manually.
You can download the Nutanix cost configuration file (in XLS format) of the product portfolio to edit the price and terms of individual products in an offline mode. You can upload and import the cost configuration file in Beam after you update the file with the new cost and term inputs.
To configure the cost of your purchased Nutanix products, do the following.
You can select Inline cost editing or Upload and Import .
The Cluster tab provides a list of all the clusters along with the monthly cost for each cluster.
This section allows you to configure the TCO of a cluster. The TCO model has a default industry standard assumptions that allows you to include the cost of any non platforms by providing the true cost of running the Nutanix Enterprise Cloud in your datacenter.
Beam for Nutanix Enterprise Cloud using a total cost of ownership (TCO) model covers all the cost considerations of running Nutanix Enterprise Cloud in your datacenter.
TCO is a configurable financial model that allows you to analyze the direct and indirect costs of owning, operating, and maintaining the Nutanix Enterprise Cloud. To simplify the accounting of the different cost heads contributing to the total cost of running your Nutanix Enterprise Cloud, TCO provides a costing model that includes default costs and assumed (industry standard) costs. Using TCO, you can view all the assumed costs and the logic using which the cost is calculated. You can also change the assumed cost to the actual cost incurred by you.
You can click Edit TCO against a cluster to view the details of different cost heads for a specific cluster and edit the industry-specific TCO assumptions to the actual TCO inputs for your cluster.
You can add custom costs for any custom third-party software, telecom service, facilities cost, and services cost.
Cost Heads | Description | Amortized |
---|---|---|
Hardware |
|
Cost of Nutanix hardware amortized for the depreciation period you select in the Product Portfolio tab. |
Software |
|
Cost of Nutanix software amortized for the depreciation period you select in the Product Portfolio tab for a one-time or perpetual license. The cost amortization for term software licenses is based on the term for which the license is purchased. |
Facilities |
Note:
If you change the datacenter type from On premise to
Co-Location, or conversely, the cost model is reset to default
state of the datacenter type that you select.
|
Amortized cost of facilities spread over the months. |
Telecom |
Represents the cost of the Telecom services and Ethernet switches that you have purchased. Ethernet Switch/Top of Rack Switch Cost - Represents the cost of the Ethernet switch or the top of rack switch used in your datacenter rack. This calculation is based on the following formula. Ethernet Cost/TOR = Number of Nodes * Number of Ports per Node * (Average Cost / Number of Ports per Ethernet Switch) You can click Configure to change the assumed cost to the actual cost of Average Cost per Ethernet/TOR Switch (5 Year Support) and Number of Ports per Ethernet Switch . The change is reflected in the values for the Average Cost per Port and the Number of Nodes .
The
Ethernet/Top of rack switch cost is based on the following assumptions.
To add a custom third-party telecom services cost, click
Add Custom Third Party Telecom Cost
and enter the following details.
|
|
Services |
Represents the cost of the custom services that you have purchased. Beam does not assume the cost of custom services and must enter the cost based on your actual cost.
To
add a custom third-party services cost, click
Add
Custom Third Party Services
and enter the
following details.
|
|
People |
Represents the cost of the administration of Nutanix nodes that
you have purchased. You can click
Configure
to change the assumed cost
to the actual cost that you have incurred on the following
administration cost parameters.
|
Amortized cost of administrative staff spread over the months. |
The Resource Metering tab allows you to select the resource metering model for individual clusters.
Resource metering provides a granular view of the cost of running a resource within a Nutanix cluster. The granular resource-level costing helps in understanding the cost incurred to run a Nutanix resource that can be used for Showback or Chargeback.
Resource metering is based on the sunk cost allocation from the cluster level to the resource level (based on the specifications and allocation hours). You can view the list of resources in a cluster and cost associated with each of the resources at a daily or monthly granularity.
Resource metering is done by allocating the amortized cost of the cluster proportionally to the resources that are running in the cluster.
You can change the Resource Metering Model from the Clusters table. In the Resource Metering Model column, click the drop-down list and select the metering model you want for the cluster. Then click Save to apply the selected metering model to the cluster.
You can also edit the overcommit ratio for the Target Virtual Capacity model. Click Edit against the cluster for which you want to change the overcommit ratio. In the Target Virtual Capacity - Overcommit Ratio page, enter the new ratio and click Done . Then click Save to save the changes.
The Resource Metering Model allocates the cluster cost to the Nutanix resources within the cluster. There are two types of Resource Metering Model - Actual Virtual Capacity and Target Virtual Capacity .
The Actual Virtual Capacity model allows you to split the cluster cost to the resources based on the actual provisioned virtual capacity (vCPU, vRAM, and vStorage).
The cost of a cluster gets divided between the cluster raw CPU cores and the raw total cluster flash drive capacity in tebibytes (TiBs) based on the Nutanix Acropolis capacity-based licensing ratio. The cost of the cluster raw CPU cores gets fully allocated to n vCPUs in the cluster based on vCPU-hours ( n is the number of vCPUs). The cost of the cluster RAM (in GiB) gets fully allocated to n vRAMs in the cluster based on vRAM-hours ( n is the number of vRAMs). The cost of the raw total cluster flash drive capacity in tebibytes (TiBs) gets fully allocated to m vDisk in the cluster based on vDisk-hours ( m is the vDisk capacity).
This allocation logic helps you to get the cost of 1 vCPU-hour, 1 GiB of vRAM-hour, and 1 GiB of vDisk-hour. The cost of a resource is derived by using these two variables, specification (vCPU, vRAM, storage allocation), and allocated hours.
The Target Virtual Capacity model allocates the cluster cost to the resources based on the target provisioned virtual capacity based on the overcommit ratio (vCPU : pCPU, vRAM : pRAM, and vStorage : pStorage).
The cost of a cluster gets divided between the cluster CPU cores, RAM (in GiB), and the flash drive capacity in tebibytes (TiBs) based on the overcommit ratio. The vRAM : pRAM is assumed to be 1:1, and is not configurable.
The cost of the cluster CPU cores gets fully allocated to expected vCPUs in the cluster based on vCPU-hours (expected vCPU = actual pCPU * expected vCPU overcommit). The cost of the cluster RAM gets fully allocated to expected vRAMs in the cluster based on vRAM-hours (expected vRAM = actual pRAM * expected vRAM overcommit). The cost of the cluster flash drive capacity in tebibytes (TiBs) gets fully allocated to expected vStorage in the cluster based on vDisk-hours (expected vStorage = actual pStorage * expected vStorage overcommit).
In the overprovisioned virtual capacity scenario, the cluster cost from the sum of all the resource cost is higher than the cluster amortized cost. You can view this information in the VM details table in the Resource Metering tab.
This section provides a list of the outage scenarios that can occur and the method by which Beam visualizes Resource Metering.
Configure currency to view the cloud spend in your preferred currency.
The currency configuration reduces the ambiguity in analyzing cloud spend from different cloud providers who often provide billing data in different currencies. For example, GCP might report cloud consumption in INR while AWS report cloud consumption in USD. Consolidating the billing data from these different sources without considering currency type results in ambiguous reports and dashboards. In order to simplify multicloud cost governance, Beam allows you to configure a single currency to calculate spend data across all views. You can also configure the corresponding conversion rates for the configured currency or use dynamic rates that Beam provides.
Source currency is the currency that your cloud service provider reports billing. When you onboard multiple cloud billing accounts from different cloud providers or regions, you can see a consolidated list of all the source currencies in the respective billing data on the Currency Configuration page. If you onboard a GCP billing account reported in INR and an AWS payer account reported in USD, you will see INR and USD in the source currency list.
You can use this configuration to select the target currency and the corresponding conversion rates applicable for spend analysis across Beam.
To configure the currency, do the following:
In the text box, enter the exchange rates as shown in the following figure.
Limitations and guidelines to consider when using the currency configuration.
Beam uses the source currency provided in the billing data for assessing reserved instances and displays the data in source currrency. Beam does not use the target currency provided in the currency configuration page for assessing reserved instances.
The dashboard for Nutanix displays informational widgets for ease of cost governance.
To view the Nutanix dashboard, log on the Beam console and select any of the connected Nutanix accounts.
This widget shows the Month to date, the amortized cost for Nutanix software you have purchased. This gives you a high-level view of the ongoing costs of running your Nutanix on-premises private cloud. In a multi-cloud context, it helps you to get a sense of the run-rate costs of using the private-cloud, similar to a public cloud ongoing spend view. By default, this widget displays the top spend of the top five clusters or services in your Nutanix account.
The Spend Analysis widget displays a bar graph of the historical spend analysis for the selected period with the current and projected spend for the past few months.
By default, this view displays the monthly spend data for the clusters. You can change the default view to display daily projections. To view a detailed information, click View Spend Trend , which redirects you to the Analyze page.This widget shows the total cost incurred for all the onboarded clusters. You can view the cost breakups for all the cost heads (for example, software, telecom, hardware, and so on). You can hover over the chart to view the contribution of each cost head (in percentage) to the total spend.
To view a detailed information, click View Details , which redirects you to the Resource Metering tab in the Analyze page. Resource metering provides a granular view of the cost of running a resource within a Nutanix cluster. The granular resource-level costing helps in understanding the cost incurred to run a Nutanix resource that can be used for Showback or Chargeback.
This widgets shows the cost incurred (Month to date) for all the VMs and VM-Snapshots that are running in your clusters.
You can click View All , which redirects you to the Compute view for detailed information that includes: total spend overview, the cost for all the sub-services, VM IDs, and cost based on categories applied to the Nutanix resources.
Beam provides a detailed view of the existing spend on Nutanix resources based on the deployed clusters and purchased products.
The Analyze page allows you to track spend across Nutanix resources both at an aggregate and granular level. You can drill down the cost further based on your clusters, VMs, and Tags (Prism Categories are considered as Tags).
Analyze views help you with the following.
The Analyze page contains the following sub-tabs.
View | Description |
---|---|
Overview | Displays the total cluster spend. |
Clusters | Displays the total cost of each cluster in your Nutanix account. |
Service Types | Displays the total cost for all the services types such as compute, storage, and no service in your Nutanix account. |
Services | Displays the total cost for all the services in your Nutanix account. |
Cost Centers | Displays the total spend split by Beam cost centers. This view includes the unallocated costs that are not tagged in your Nutanix account. |
Tags |
Displays the current spend based on the category applied to your Nutanix
resources. Click the
Tags
drop-down list to select a
category.
Note:
The chart also displays all the values that are tagged to a selected
tag key.
|
Note:
Both No Service and No Service Type include the spend of unprovisioned capacity
and unmetered cluster cost.
|
Beam calculates the monthly amortized costs of clusters on the basis of Total Cost of Ownership (TCO). This monthly amortized cost data is also used in projecting future month's cost data. When the hardware or software scale-up or scale-down occurs or when TCO inputs are updated, Beam recalculates the monthly amortized cluster costs and updates the forecast accordingly.
View | Description |
---|---|
Overview | Displays a line chart of the projected and actual spend for the selected period. |
Clusters | Displays a line chart of the projected and actual spend for all the clusters in your Nutanix account. |
The Resource Metering tab displays the list of clusters and cost associated with each of the clusters.
Click View Details to view the individual cluster data for the selected month. At the top-right corner, you can click the share , schedule , and download icon respectively to share, schedule, and download the report with all details of the respective cluster.
Total Cost of Ownership - Shows the total cost incurred for the cluster. You can view the cost breakups for all the cost heads (for example, software, telecom, hardware, service, people, and facilities). You can hover over the chart to view the contribution of each cost head (in percentage) to the total spend.
Cluster Details - Shows the detailed information of the cluster. For example, resource metering model, the name of the hypervisor, user VM count, and used VM snapshot storage, used file storage, and used object storage.
List of VMs, VM-Snapshots, and Files & Objects - By default, the list of VMs running within a cluster are displayed. You can click the drop-down list in the right corner to view the cost of storage consumed by VM-Snapshots, and Files & Objects. Depending on the resource type you selected, you can view the metered cost for VMs, VM-Snapshots, Files and Objects based on usage and price per unit on a daily basis.
Resources | Entity | Description |
---|---|---|
VM | VM Name | The name of the Nutanix VM. |
VM ID | The unique identifier of the Nutanix VM. | |
vCPU-hrs | The aggregate of vCPU configuration and the number of hours the VM has been powered on for the selected month. | |
Average price per vCPU-hr | The average daily cost per vCPU-hrs for the selected month to date. | |
vRAM-hrs | The aggregate of provisioned vRAM configuration and the number of hours the VM has been powered on for the selected month. | |
Average price per vRAM-hr | The average daily cost per vRAM-hrs for the selected month to date. | |
vStorage-GiB | The average daily utilization of storage per VM. | |
Cumulative price per vStorage-GiB | The total cost of storage utilization per VM for the selected month to date. | |
Cost (Month-to-date) | The cumulative cost of VM per day for the selected time period. | |
Avg Cost per Hour | The average cost of VM per hour for the selected month to date. | |
VM-Snapshots | PD Name | The name of the Snapshot/Protected Domain. |
vStorage-GiB | The average daily utilization of storage per Snapshot/Protected Domain. | |
Cumulative price per vStorage-GiB | The total cost of storage utilization per Snapshot/Protected Domain for the selected month to date. | |
Cost (Month-to-date) | The cumulative cost of Snapshot/Protected Domain per day for the selected time period. | |
Files & Objects | Service Name | The name of the File Service or Object Service. |
vStorage-GiB | The average daily utilization of storage per Files service and Objects service. | |
Cumulative price per vStorage-GiB | The total cost of storage utilization per Files service and Objects service for the selected month to date. | |
Cost (Month-to-date) | The cumulative cost of Files service and Objects service per day for the selected time period. |
In the overprovisioned virtual capacity scenario, the cluster cost from the sum of all the resource cost is higher than the cluster amortized cost. You can view this information in the VM details table.
View | Description |
---|---|
Overview | Displays a line chart of the total spend for all the compute services within the cluster for the selected period. You can hover over the stacked bar to view the total spend for a specific day. |
Clusters | Displays a line chart of the total cost of each cluster in your Nutanix account. |
Services | Displays a line chart of the total cost for all the compute services within your Nutanix cluster. |
Sub Services |
Displays a line chart of the total cost for all the sub-services within your
Nutanix cluster.
Beam provides cost visibility to the Nutanix Virtual Machine Service. This service has VM and VM-Snapshot Sub-Services. |
Cost Centers | Displays the total spend split by Beam cost centers. This view includes the unallocated costs that are not tagged in your Nutanix account. |
Resources |
Displays all the VM IDs (VM Sub Service) and protection domains (VM-Snapshot Sub Service) along with their associated cost. |
Tags |
Displays a line chart of the total cost based on the categories applied to your
Nutanix resources. You can click the tag drop-down list to select a
category.
Note:
The chart also displays all the values that are tagged to a
selected tag key.
|
View | Description |
---|---|
Overview | Displays a line chart of the total spend on all the services used for storage within the cluster for the selected period. |
Clusters | Displays a line chart of the total cost of each cluster in your Nutanix account. |
Services | Displays a line chart of the total cost for all the storage services within your Nutanix cluster. |
Cost Centers | Displays the total spend split by Beam cost centers. This view includes the unallocated costs that are not tagged in your Nutanix account. |
Category | Description | |
---|---|---|
Services | Nutanix Virtual Machine | Includes all the user VMs along with their Snapshots in the cluster. |
Nutanix Files | Includes all the Files services in the cluster. | |
Nutanix Objects | Includes all the Object services in the cluster. | |
Nutanix End Users | Includes all the user VMs hosting VDIs in the cluster running an Acropolis VDI software package. | |
Nutanix Edge | Include all the user VMs hosting ROBO in the cluster running an Acropolis ROBO software package. | |
Service Types | Compute | Includes all the compute services running in the Nutanix cluster |
Storage | Includes all the storage services running in the Nutanix cluster | |
No Service | Includes both the Unmetered Cluster Cost and Unprovisioned Virtual Capacity. For more details, refer to the section Resource Metering in the topic Cost Analysis (Nutanix) . | |
Sub-Services | Nutanix Virtual Machine | Includes all the user VMs in the cluster. |
Nutanix VM-Snapshot (Protection Domain) |
VMs are replicated through Snapshots, which consume virtual
storage capacity. The VM-Snapshot sub-service provides cost
visibility of Snapshots within a cluster at a Protection Domain
granularity. A protection domain is a defined group of VM
snapshots to be backed up locally on a cluster or replicated on
the same schedule to one or more remote sites.
Note:
Beam
recommends upgrading NCC to 3.10 to get accurate cost
visibility for snapshots (Protection Domain).
|
|
Nutanix Edge Virtual Machine | Include all the user VMs hosting ROBO in the cluster running an Acropolis ROBO software package. | |
Nutanix Edge Snapshot | Include all the user VM-Snapshots hosting ROBO in the cluster at a Protection Domain granularity running an Acropolis ROBO software package. | |
Nutanix End Users Virtual Machine | Includes all the user VMs hosting VDIs in the cluster running an Acropolis VDI software package. | |
Nutanix End Users Shapshot | Include all the user VM-Snapshots hosting VDIs in the cluster at a Protection Domain granularity running an Acropolis VDI software package. |
Beam generates a report to track cost consumption across all your Nutanix accounts. The report contains detailed spend information for clusters including spend at a VM level within each cluster.
Beam application generates reports to track cost consumption for your Nutanix cloud accounts at both aggregate and granular levels, like a functional unit, workloads, and applications.
To schedule a report, do the following.
Beam application generates reports to track cost consumption for your Nutanix cloud accounts at both aggregate and granular levels, like a functional unit, workloads, and applications.
To share the report, do the following:
Beam application generates reports to track cost consumption for your Nutanix cloud accounts at both aggregate and granular levels, like a functional unit, workloads, and applications.
To download a report, do the following:
The Chargeback feature enables the financial control of your cloud spends by providing the ability to allocate cloud resources to departments based on definitions. It provides a consolidated view across all your cloud accounts in a single pane of finance view.
Note the following points when creating a chargeback for your Nutanix on-premises environment.
A business unit is defined as a collection of cost centers. You can use the business units to define hierarchies in your organization between different departments. It is not necessary to define a business unit to view chargeback. You can also define chargeback only based on cost centers.
A cost center is a collection of resources within a single or multiple cloud accounts. You can assign the resources to the cost center based on tags. You can either allocate a complete account or resources within an account to a cost center.
Unallocated resources are the resources that do not belong to any of the cost centers based on definitions.
Unallocated resources include the following.
You can define a cost center based on accounts, clusters, and prism categories. You can add resources belonging to a single or multiple accoounts when defining the cost center. Beam also allows you to extend the definition of your cost centers to public clouds, that is, you can add AWS and Azure resources.
The following image describes an example of a multicloud configuration. The cost center consists of Nutanix, AWS, and Azure resources.
To add a business unit, do the following.
You can edit (or delete) an existing business unit.
To edit a business unit, do the following.
Note the following points when creating a cost center for your Nutanix cloud.
To add a cost center, do the following.
Beam allows you to edit (or delete) an existing cost center.
To edit a cost center for multicloud accounts, do the following.
To allocate an unallocated resource for chargeback, do the following.
An administrator can do the following.
You can select the Allocated and Unallocated options in the top-right corner of the page to view the cost details for allocated and unallocated resources.
In the Unallocated Cost table, you can use the Allocate button to allocate resources to a cost center. To allocate the unallocated resources to cost centers, see Allocating Unallocated Resources To Cost Center.
In the Allocated Cost table, an administrator can browse through all the business units and cost centers (created by the administrator) to view detailed information.
View | Description |
---|---|
Spend Overview | Displays a pie graph of the cost breakup summary for the allocated and unallocated resources. |
Spend Analysis - Unallocated Cost |
Displays a bar graph of the historical spend analysis for the unallocated resources with an actual and projected spend for the last three months. |
Spend Analysis - Allocated Cost | Displays a bar graph of the historical spend analysis for the allocated resources with an actual and projected spend for the last three months. |
Top Spend | Displays the services and accounts that are consumed the most in your business unit or cost center. You can use the drop-down list in the right corner to select Top services or Top accounts . |
Unallocated Cost |
Displays the list of unallocated resources along with the cloud
type, associated accounts, or subscriptions. You can also view the
total cost incurred for each resource.
You can also allocate unallocated resources to a cost center. For more information, see Allocating Unallocated Resources To Cost Center. |
Allocated Cost |
Displays detailed information for the allocated resources that
include the following.
In the Actions column, you can click the Edit and Delete buttons to edit the resource details or delete the resource. You can use the drop-down list in the top-right corner of the Allocated Cost table to filter the resources by business unit, cost center, or business unit and cost center. You can also click the share and download icons in the top-right corner to share or download the resource details. |
The owners and viewers can view the business units and cost centers for which they have access.
You can use the View Selector (public cloud) and View Selector (Nutanix) to select the business unit or cost center.
The following table describes the widgets available for business unit and cost center views.
View | Description |
---|---|
Spend Overview | Displays the total spend cost (month to date) and the projected spend cost for the business unit or cost center. |
Spend Analysis - Allocated Cost | Displays a bar graph of the historical spend analysis for the allocated resources with an actual and projected spend for the last three months. |
Top Spend | Displays the services and accounts that are consumed the most in your business unit or cost center. You can use the drop-down list in the right corner to select Top services or Top accounts . |
Allocated Cost |
Displays detailed information for the allocated resources (within
a cost center) that includes the following.
You can use the expand icon to view details about services
within the account or subscription.
Note:
If the pulse was not
available for a Nutanix cluster for a given number of days
in a month, the
Unmetered Cluster
Cost
line item appears showing the cluster
cost incurred for those days. For more information, see
Cost Analysis (Nutanix).
You can click View Details against each service to view the resource details. You can also click the share and download icons in the top-right corner to share or download the detailed report for the cost center. |
The Budget feature in Beam extends the budgeting capability for a business unit, cost center, or scope. A budget allows you to centralize the budget at the business unit, cost center, or scope levels to ensure that your consumption is within the budget that you have defined. You can also create custom budgets.
Beam monitors and tracks the consumption continuously, and you can track any threshold breaches to the budgets that you have configured using the Budget page in the Beam console. Organization level budgets can be tracked at the quarterly or yearly level basis for the selected business unit, cost center, or custom budgets.
The Budget page allows you to view the budget cards based on the budgets that you have configured for your cloud accounts.
The budget card for a business unit or cost center displays the Budgeted amount , Current Spend , and Estimated spend . You can also edit the budget details or delete an existing budget using the Budget page.
You can define and track a budget based on the following resource groups.
You can add a threshold for your budget alerts. When the budget reaches the threshold you specified, Beam sends a notification to the email addresses you enter when creating the budget alerts.
Beam allows you to create Budgets based on the resource groups that you have defined.
To add a global Budget, do the following.
You can add percentages of the total budget value. When the budget reaches the threshold value you entered, Beam sends a notification via an email to the email addresses you enter.
You can add alerts for the following periods.
You can view your budget details from the Budget page in Beam. To view budget details, click View Details option in any of the budget cards. The Year Breakup and Cost Breakup for the budget is displayed.
To download or share the cost breakup report, click the download or share icon.
In the top-right corner, you can click the Expired button to view the expired budgets.
You can do the following in the expired budgets view.
You can edit the budget alerts for the cost centers and business units in the Budget page. In the Budget page, you can view the budget cards for your cost centers and business units.
To edit the budget alerts for your cost centers, business units, or scopes, do the following.
You can edit the period and threshold values.
A scope is a logical group of your cloud resources that provides you with a custom view of your cloud resources. You can define scopes using cloud, accounts, and tags. The administrator can assign read-only access to a user. The user gets read-only access for the resources within the scope and not the cloud accounts that constitute the scope. After you create a scope, click View in the top-right corner to open the User Interface Layout and select the scope.
A scope is a logical group of your cloud resources that provides you with a custom view of your cloud resources.
To create a scope, do the following.
This section provides information about the supported licenses for your Beam accounts, license entitlement for Nutanix on-premises, and subscription entitlement for public clouds.
To access the Licensing page, click Hamburger Icon > Configure > Licensing .
Refer to the following table to know about the various statuses available for your Beam account.
Status | Description |
---|---|
In Trial | A banner gets displayed notifying you about the trial period and suggesting you purchase a license. |
Trial Expired or License Expired | The Expired status appears after your trial period gets over or the applied license gets expired. You would not be able to use the Beam features and need to purchase the license. |
License Applied | Indicates that your license is applied. You can also view the expiry date for the license. |
The following two cases may occur after the license gets applied:
For public clouds (AWS and Azure), one of the following statuses get displayed on the Licensing page:
Status | Description |
---|---|
In Trial | A banner gets displayed to notify you about the trial period and an option to purchase a subscription. To purchase a subscription, click Purchase Online Now , which redirects you to the Nutanix Billing Center. |
Subscription Active | This status indicates that you have an active subscription. The expiration date of the active subscription is also displayed. |
Trial Expired or License Expired | The Expired status appears after your trial period gets over or the active subscription gets expired. You would not be able to use the Beam features and need to purchase or renew the subscription. |
You must have a valid license and subscription to use the Beam features for your Nutanix on-premises and public clouds. If you do not purchase a license or subscription, a banner gets displayed at the top of the Beam page indicating that there are feature violations.
Beam provides API services to allow you to programmatically retrieve data from the Beam's platform and perform different configurations.
Beam allows you to track your cloud expenses, optimize your cloud cost, and achieve visibility into your spend. Beam centralizes all your cloud expenses and multiple accounts into a single place and simplifies cloud cost management.
The supported public clouds are AWS , Azure , and GCP .
Support for AWS allows you to track your AWS cloud expenses, optimize your cloud cost, and achieve visibility into your spend. Beam centralizes all your AWS cloud expenses and multiple AWS accounts into a single place and simplifies cloud cost management.
For a consolidated billing, you must sign up in the AWS Billing and Cost Management console and designate your account as a payer account. You can link other accounts (linked accounts) to the payer account for consolidated billing. In AWS consolidated billing, the payer account is charged for all the linked accounts every month. For more information, see AWS Billing and Cost Management User Guide on AWS documentation website .
Beam helps you to optimize AWS services like EC2, RDS, EBS, EIP, Route53, Workspace, EC2, DynamoDB, ELB, Redshift, and ElastiCache.
Support for Azure enables you to take control of your cloud spend on the Azure cloud. Beam helps you to optimize the Azure services like Managed Disks, Azure SQL DB, VM, Public IP, PostgreSQL Server, MySQL Server, Load Balancer, Application Gateways, SQL DataWarehouse, and Redis Cache.
Support for Google Cloud Platform (GCP) allows you to track your GCP resources and provide insights into your cost spends. Beam centralizes all your GCP cloud expenses and multiple GCP accounts into a single pane and simplifies cloud cost management.
Beam helps you analyze your GCP services like Compute Engine, Cloud Storage, Kubernetes Engine, and BigQuery.
Apart from providing cost visibility and optimization recommendations for individual clouds, Beam also provides cost visibility and optimization recommendations for entities with multiple clouds (Nutanix, AWS, Azure, and GCP). You can configure two types of multicloud entities - Financial and Scope.
Financial is a hierarchical structure comprising of Business units and Cost Centers used for Chargeback. Chargeback allows you to group cloud resources across multiple clouds (Nutanix, AWS, Azure, and GCP) within Cost Centers and Business units. By design, a cloud resource cannot be part of different cost centers or business units. For more information, see Chargeback.
Scope is a custom resource group with resources across multiple clouds (Nutanix, AWS, Azure, and GCP). Scopes are useful in providing visibility to logical resource groups like applications, project teams, cross-functional initiatives, and more. Hence, by design, a cloud resource can be part of multiple Scopes. For more information, see Scopes.
This section provides information on the layout and navigation of the Beam console.
The Beam console provides a graphical user interface to manage Beam settings and features.
When you log on to the Beam for the first time, the View Selector pop-up appears. The View Selector pop-up allows you to search for an account by typing the account name in the search box or navigate and select a cloud account, business unit or cost center, and custom scope.
The Dashboard is the welcome page that appears after logging and selecting a view in Beam.
For the subsequent logins, the last visited page for the last selected view (account, business unit or cost center, and scope) appears. You can click View in the top-right corner to open the View Selector pop-up and select a different view.
View | Description |
---|---|
All Clouds | Select this view to get total cost visibility for AWS-, Azure-, GCP-, and Nutanix-accounts for which you have access. |
Cloud Accounts (AWS, Azure, GCP, and Nutanix) | Allows you to select AWS, Azure, GCP, and Nutanix accounts. |
Financial | Allows you to select business units or cost centers you created for the chargeback. |
Scopes | Allows you to select the custom scopes you created. |
The Beam Console screens are divided into different sections, as described in the following image and table.
Menu | Description |
---|---|
Hamburger icon | Displays a menu of features on the left. When the main menu is displayed, the hamburger icon changes to an X button. Click the X button to hide the menu. |
Alerts | The Alert option allows you to see system-generated alert notifications. Click the bell icon from the main menu bar to view alerts. Click See More to view the complete list of notification. |
User Menu |
The user drop-down menu has the following options.
|
Help Menu |
You can click the question mark icon in the top-right corner of the console to
view the following:
|
Widgets Section | The widgets section displays the informational and actionable widgets corresponding to the feature that you have selected from the main menu. For instance, the Dashboard page display widgets like Spend Overview , Spend Analysis , Save , and Cloud Efficiency . |
View option | Click View in the top-right corner to open the View Selector pop-up. |
Clicking the Hamburger icon displays a menu of features on the left. When the main menu is displayed, the Hamburger icon changes to an X button. Click the X button to hide the menu.
The following table describes each feature in the main menu.
Feature | Description |
---|---|
Dashboard | Displays the Dashboard page (see Dashboard). |
Analyze |
Displays the
Analyze
page (see Analyze - Cost Analysis).
Analyze allows you to track cost consumption across all your cloud resources at both the aggregate and granular level. You can drill down cost further based on your services, accounts, or application workload. |
Chargeback |
Displays the
Chargeback
page (see Chargeback).
Enables the financial control of your cloud spends by providing the ability to allocate cloud resources to departments based on definitions. It provides a consolidated view across all your cloud accounts in a single pane for Finance views. |
Budget |
Displays the
Budget
page (see Budget).
A budget allows you to centralize the budget at the business unit, cost center, or scope levels to ensure that your consumption is within the budget that you have defined. |
Reports |
Displays the
Reports
page (see Cost Reports).
Beam generates reports to track cost consumption across all your cloud accounts at both aggregate and granular levels, like a functional unit, workloads, and applications. The reports are generated automatically and are available to view, download, or share from the Beam console. |
Save |
Displays the
Save
page (see Save - Cost Saving).
Helps you save money on cloud spend by identifying unused and underutilized resources. Also, you get specific recommendations for optimal consumption. |
Purchase |
Displays the
Purchase
page (see Purchase - Recommendations).
Provides insights on overall RI usage statistics, recommended RI purchases, managing existing RI portfolio, and RI coverage. |
Playbooks |
Displays the
Playbooks
page (see Playbooks).
Allows you to automate actions on your public cloud environment for better cloud management. It helps you to improve your operational efficiency by reducing manual intervention. |
Configure menu |
The Configure menu allows you to do the following operations.
|
Beam allows you to do the following administrative controls.
You can add and manage users using the Beam console.
This section helps you to understand all the different roles in Beam and when you would use each.
When a user creates a Beam subscription, a tenant is triggered and the user becomes the owner of that tenant. An owner is shown as Admin (Owner) in the User Management page. The owner role has the following attributes.
You can't create an owner role in Beam. However, you can create as many as three Beam owners from My Nutanix. Only My Nutanix Account Administrators have the necessary permissions to create Beam owners. For more information on My Nutanix user management, see Cloud Services Administration Guide .
An administrator is shown as Admin in the User Management page. The administrator role has the following attributes.
A user role is created by granting read-only or read & write permission for selected accounts.
Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution that you can use for implementing single sign-on in Beam. To integrate ADFS with Beam, log on to your MyNutanix account, and perform the integration. See SAML Authentication for details. To log on to your Beam account using ADFS, see Logging into Xi Cloud Services as an SAML User .
If you log on to Beam through ADFS, you can get access to Nutanix Support only if your MyNutanix account was used to add your Beam user account. However, if your Beam user account was not added using your MyNutanix account, you do not get access to support.
Beam is a multi-cloud cost governance SaaS product that provides a free, full-featured, 14-day trial period. During the free trial period, you can configure your Nutanix On-premises and public cloud accounts (AWS, Azure, and GCP) in Beam to evaluate the features. It takes about 15 minutes to configure your cloud accounts in Beam.
The following sections describe the onboarding steps for AWS-, Azure-, and GCP-accounts.
Refer to this section to know about the access and permissions required to configure your cloud accounts in Beam.
{
"EnrollmentNumber": "XXXXXXXX",
"Id": "027d019e-5674-4771-a09d-1XXXXXXX840",
"ReportView": "Enterprise", (or Indirect Enterprise)
"PartnerId": "",
"DepartmentId": "",
"AccountId": "",
"iss": "ea.microsoftazure.com",
"aud": "client.ea.microsoftazure.com",
"exp": 1554264804,
"nbf": 1538540004
}
Ensure that you have the following access before starting with the account onboarding steps:
To enable Beam to retrieve data on your Google Cloud Platform (GCP) resources and provide insights into your cost spend, you must onboard your GCP billing accounts to Beam. You can add multiple GCP billing accounts in Beam and get an insight into your cost spend.
The following table introduces the principal GCP terms and entities:
Term | Description |
---|---|
Project | A project organizes all your Google Cloud resources. A project consists of a set of users; a set of APIs; and billing, authentication, and monitoring settings for those APIs. For example, all of your Cloud Storage buckets and objects, along with user permissions for accessing them, reside in a project. You can create single or multiple projects and use them to organize your Google Cloud resources, including your Cloud Storage data, into logical groups. |
Billing Account |
A cloud-level resource managed in the GCP console. It tracks all of the costs (charges and usage credits) incurred by your Google Cloud usage. You can link one or more projects to a billing account. Project usage gets charged to the linked Cloud Billing account. For more information, see the Overview of Cloud Billing Concepts section in the Google Cloud Documentation . |
BigQuery Table |
Contains individual records organized in rows. Every table is defined by a schema that describes the column names, data types, and other information. You must provision the Big query table in one of the projects. The table will store the billing data for all the projects within the billing account. Beam pulls the billing data from the BigQuery table and provides insight into your GCP cloud spend. |
Service Account |
A special kind of account used by an application (not a person)
to make authorized API calls.
|
The Service account for your enterprise gets created in Nutanix's own secure GCP Project. You need to create IAM roles with the required permissions and attach them to the Service account so that Beam can fetch the billing data and provide cost insights.
This section describes the procedure to add your first GCP billing account in Beam. Beam fetches the billing data of all projects associated with the given billing account and provides visibility into your spend.
To add a GCP billing account in Beam, do the following:
If you are onboarding your first billing account, an option to create a service account is visible. For the subsequent billing accounts, Beam auto-populates the previously created service account ID on the Configure Permissions page.
The service account created when onboarding the first GCP billing account is used for the subsequent GCP billing accounts. The service account field is auto-populated when onboarding the next GCP billing accounts in Beam.
Perform the following steps to onboard your subsequent GCP billing accounts in Beam:
You can follow one of the given options to provide the required IAM roles and permissions:
Beam needs certain permissions to fetch the billing data and provide cost insights. For users with access to GCP organizations, you need to create two IAM roles and attach them to the service account created by Beam. Refer to this section to get an understanding about the IAM roles and its required permissions.
Role Created At | Role Attached At | Role JSON (Use JSON to programmatically create the role) |
---|---|---|
Organization level | Billing project level and Billing account level |
|
Role Created At | Role Attached At | Role JSON (Use JSON to programmatically create the role) |
---|---|---|
Organization level | Folder or organization level |
|
To create the roles in the GCP Console, see Creating IAM Roles.
Refer to the following table to understand the GCP permissions to create and attach the IAM roles required by Beam.
Task | GCP Role |
---|---|
Create and attach roles at Organization level |
|
Create and attach roles at Project level |
|
Create and attach roles at Folder level |
|
Attach roles at Billing account level | roles/billing.admin : GCP Inbuilt Role to attach roles at the Billing account level. |
This section describes the procedure to create the required IAM roles in the GCP console for the user with access to GCP organizations.
To create the required IAM role, do the following:
IAM Role | Entity |
---|---|
(Mandatory) beam-bill-ingestion-role | Organization level. For example, nixbeam.com . |
(Optional) beam-project-metadata-role | Organization level. For example, nixbeam.com . |
Option | Description |
---|---|
Title |
Enter the role name you are creating. Role name: beam-bill-ingestion-role or beam-project-metadata-role . |
Description |
Enter a description for the role. Example: Allows Beam to ingest bills from the BigQuery table and read Projects associated with a given billing account for beam-bill-ingestion-role . |
ID | Enter the role ID in the following format: beam_bill_ingestion_role or beam_project_metadata_role . |
Role launch stage | Select General Availability . |
The Add Permissions window appears.
Refer to Users with access to GCP Organizations to view the required permissions for the role that you are creating.
Repeat this step to search and select the remaining permissions.
This section describes the procedure to attach the two IAM roles you created to the service account, for the user with access to GCP organizations.
To attach the IAM roles to the service account, do the following:
A list of billing accounts appear.
Beam needs certain permissions to fetch the billing data and provide cost insights. For the users without access to GCP organizations, you need to create an IAM role and use a GCP inbuilt role and attach them to the service account created by Beam. Refer to this section to get an understanding about the IAM roles and its required permissions.
Role Created At | Role Attached At | Role JSON (Use JSON to programmatically create the role) |
---|---|---|
Project level | Project level |
|
To create the roles in the GCP Console, see Creating IAM Roles.
Refer to the following table to understand the GCP permissions to create and attach the IAM roles required by Beam.
Task | GCP Role |
---|---|
Create and attach roles at Project level |
|
Attach roles at Billing account level | roles/billing.admin : GCP Inbuilt Role to attach roles at the Billing account level. |
This section describes the procedure to create the required IAM role in the GCP console for the user without access to GCP organizations.
To create the required IAM role, do the following:
IAM Role | Entity |
---|---|
(Mandatory) beam-bill-ingestion-role | Project level |
Option | Description |
---|---|
Title |
Enter the role name you are creating. Role name: beam-bill-ingestion-role . |
Description |
Enter a description for the role. Example: Allows Beam to ingest bills from the BigQuery table . |
ID | Enter the role ID in the following format: beam_bill_ingestion_role . |
Role launch stage | Select General Availability . |
The Add Permissions window appears.
Refer to Users without access to GCP Organizations to view the required permissions for the role that you are creating.
Repeat this step to search and select the remaining permissions.
This section describes the procedure to attach the two IAM roles to the service account, for the user without access to GCP organizations.
To attach the IAM roles to the service account, do the following:
This section describes the procedure to fetch the billing account details ( Billing Account ID , Project ID , and Dataset ID ) that you need to add in the Beam console to complete the onboarding process.
To fetch the billing account details, do the following:
You can view the Billing account ID at the top of the page.
Refer to this section to understand the actions you can take on the GCP billing accounts in Beam.
Click the Hamburger icon in the top-left corner to display the main menu. Then, click Configure > GCP Accounts . Then, click Manage Account against the Billing account that you want to manage.
When you change the source of your BigQuery export in the Billing Account > Billing export (GCP Console) according to your business requirements, you must add the new billing source in the Beam console.
To add a billing source in the Beam console, do the following:
The Add Billing Source pop-up appears.
For more information on how to get the Project ID and Dataset ID, see Fetching the Billing Account Details .
Refer to this section to delete a Billing account from Beam.
To delete a Billing account in Beam, do the following:
The Deleting GCP Billing Account window appears.
This section describes the procedure to add your AWS payer account in Beam.
Adding an AWS account in Beam involves three steps:
To add an AWS Payer account, do the following.
1. In Report Name , enter the name for the CUR.
2. In S3 Bucket Name , enter the name of your CUR bucket.
3. In Report Prefix , enter the prefix of the CUR in AWS.
You can click the Where can I find this? hyperlink to go to the AWS Cost and Usage Reports page in the AWS console. For detailed instructions on getting the report name, S3 bucket name, and report prefix of your existing CUR, see Getting Cost and Usage Report (CUR) Details (AWS Console).
To get the report prefix path for your CUR, see Getting Report Path Prefix (AWS Console).
For more information, see Required Permissions.
Successfully fetched the CloudFormation Template.
Beam detects the AWS linked accounts after you add the payer account.
To view the list of AWS linked accounts, click the Hamburger icon in the top-left corner to display the main menu. Then, click Configure > AWS Accounts . You can view the payer accounts added in Beam. Click Manage to view the list of linked accounts detected for a payer account.
To configure the linked accounts in Beam, do the following.
For more information, see Required Permissions.
Successfully fetched the CloudFormation Template.
This section describes the steps to unconfigure linked accounts.
To view the list of AWS linked accounts, click the Hamburger icon in the top-left corner to display the main menu. Then, click Configure > AWS Accounts . You can view the payer accounts added in Beam. Click Manage to view the list of linked accounts detected for a payer account.
To unconfigure the linked accounts from the payer account, do the following.
A confirmation message appears. Click Delete to complete the workflow.
After your AWS account configuration in Beam is complete, you can verify if the configuration is correct.
To test if your AWS account is accessible, do the following.
To create an AWS Cost and Usage Report (CUR), go to the Reports page of the AWS Billing and Cost Management Console .
To create an AWS Cost and Usage Report, do the following.
Or
To get the details of your existing CUR, do the following.
To execute the CloudFormation template, do the following.
Click Amazon S3 URL and enter the URL if you opted to directly execute the CloudFormation template. Then, click Next to proceed.
Or,
The cost allocation tag is a label that AWS assigns to an AWS resource. You can use the cost allocation tags to track your AWS costs on a detailed level. After you activate the cost allocation tags, AWS uses the cost allocation tags to organize your resource costs on your cost allocation report. This makes it easier for you to categorize and track your AWS costs.
To activate the AWS-generated tags, do the following.
While performing the AWS account onboarding in Beam, you need to enter the report path prefix that is appended to the name of your CUR. This section describes the steps to get the report path prefix for your CUR from the AWS console.
To get the report path prefix for your CUR, perform the following steps in the AWS console.
This section describes the read and read & write policies required by Beam.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:Describe*",
"cloudfront:Get*",
"cloudfront:List*",
"opsworks:Describe*",
"opsworks:Get*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:Describe*",
"ec2:GetReservedInstancesExchangeQuote",
"elasticache:Describe*",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"redshift:Describe*",
"elasticache:Describe*",
"iam:List*",
"iam:CreatePolicy",
"iam:AttachRolePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:Get*",
"workspaces:Describe*",
"route53:Get*",
"route53:List*",
"rds:Describe*",
"rds:ListTagsForResource",
"s3:List*",
"sqs:GetQueueAttributes",
"sqs:ListQueues"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::/*",
"arn:aws:s3:::"
]
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::bucket-xyz/*",
"arn:aws:s3:::bucket-xyz"
]
},
{
"Effect": "Allow",
"Action": [
"organizations:ListAccountsForParent",
"organizations:ListAccounts"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1415015011805",
"Action": [
"ec2:Describe*",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:CreateTags",
"ec2:ReleaseAddress",
"ec2:RegisterImage",
"ec2:CreateImage",
"ec2:DeregisterImage",
"ec2:DisassociateAddress",
"ec2:TerminateInstances",
"ec2:CreateImage",
"ec2:ModifySnapshotAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:GetReservedInstancesExchangeQuote"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::/*",
"arn:aws:s3:::"
]
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::bucket-xyz/*",
"arn:aws:s3:::bucket-xyz"
]
},
{
"Effect": "Allow",
"Action": [
"organizations:ListAccountsForParent",
"organizations:ListAccounts"
],
"Resource": "*"
},
{
"Sid": "Stmt1415015042420",
"Action": [
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:Describe*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stmt1415015086161",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stmt1415015300839",
"Action": [
"rds:Describe*",
"rds:List*",
"rds:CreateDBSnapshot",
"rds:DeleteDBSnapshot",
"rds:DeleteDBInstance"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stmt1415015300851",
"Action": [
"iam:CreatePolicy",
"iam:AttachRolePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:List*",
"iam:Get*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudtrail:ListTags",
"cloudtrail:GetEventSelectors",
"events:*",
"sns:Set*",
"sns:Get*",
"sns:GetTopicAttributes",
"sns:DeleteTopic",
"sns:Create*",
"sns:Unsubscribe",
"sns:ConfirmSubscription",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:List*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Stmt1534849103503"
},
{
"Sid": "Stmt1415015300878",
"Action": [
"autoscaling:Describe*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stmt1445611947000",
"Effect": "Allow",
"Action": [
"redshift:Describe*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948000",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"dynamodb:DeleteTable"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948010",
"Effect": "Allow",
"Action": [
"opsworks:Describe*",
"opsworks:Get*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948020",
"Effect": "Allow",
"Action": [
"route53:Get*",
"route53:List*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948021",
"Effect": "Allow",
"Action": [
"elasticache:Describe*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948022",
"Effect": "Allow",
"Action": [
"elasticmapreduce:Describe*",
"elasticmapreduce:List*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948023",
"Effect": "Allow",
"Action": [
"dynamodb:Describe*",
"dynamodb:List*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948025",
"Effect": "Allow",
"Action": [
"elasticmapreduce:Describe*",
"elasticmapreduce:List*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948024",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948028",
"Effect": "Allow",
"Action": [
"cloudfront:Get*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948029",
"Effect": "Allow",
"Action": [
"elasticache:Describe*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948030",
"Effect": "Allow",
"Action": [
"config:Describe*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948035",
"Effect": "Allow",
"Action": [
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948036",
"Effect": "Allow",
"Action": [
"cloudfront:List*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948076",
"Effect": "Allow",
"Action": [
"kinesis:ListStreams"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948086",
"Effect": "Allow",
"Action": [
"glacier:ListVaults"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948089",
"Effect": "Allow",
"Action": [
"sqs:ListQueues",
"sqs:GetQueueAttributes"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948088",
"Effect": "Allow",
"Action": [
"workspaces:Describe*",
"elasticache:List*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948092",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:TagResource",
"lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:UpdateFunctionConfiguration",
"lambda:GetFunctionConfiguration",
"lambda:UntagResource",
"lambda:UpdateAlias",
"lambda:UpdateFunctionCode",
"lambda:GetFunctionConcurrency",
"lambda:ListTags",
"lambda:DeleteAlias",
"lambda:DeleteFunction",
"lambda:GetAlias",
"lambda:CreateAlias"
],
"Resource": "arn:aws:lambda:*:*:function:*"
},
{
"Sid": "Stmt1445611948093",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"iam:PassRole"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:Describe*",
"cloudfront:Get*",
"cloudfront:List*",
"opsworks:Describe*",
"opsworks:Get*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:Describe*",
"ec2:GetReservedInstancesExchangeQuote",
"elasticache:Describe*",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"redshift:Describe*",
"elasticache:Describe*",
"iam:List*",
"iam:Get*",
"workspaces:Describe*",
"route53:Get*",
"route53:List*",
"rds:Describe*",
"rds:ListTagsForResource",
"s3:List*",
"sqs:GetQueueAttributes",
"sqs:ListQueues"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1415015011805",
"Action": [
"ec2:Describe*",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:CreateTags",
"ec2:ReleaseAddress",
"ec2:RegisterImage",
"ec2:CreateImage",
"ec2:DeregisterImage",
"ec2:DisassociateAddress",
"ec2:TerminateInstances",
"ec2:CreateImage",
"ec2:ModifySnapshotAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:GetReservedInstancesExchangeQuote"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stmt1415015042420",
"Action": [
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:Describe*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stmt1415015086161",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stmt1415015300839",
"Action": [
"rds:Describe*",
"rds:List*",
"rds:CreateDBSnapshot",
"rds:DeleteDBSnapshot",
"rds:DeleteDBInstance"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stmt1415015300851",
"Action": [
"iam:List*",
"iam:Get*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stmt1415015300878",
"Action": [
"autoscaling:Describe*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stmt1445611947000",
"Effect": "Allow",
"Action": [
"redshift:Describe*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948000",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"dynamodb:DeleteTable"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948010",
"Effect": "Allow",
"Action": [
"opsworks:Describe*",
"opsworks:Get*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948020",
"Effect": "Allow",
"Action": [
"route53:Get*",
"route53:List*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948021",
"Effect": "Allow",
"Action": [
"elasticache:Describe*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948022",
"Effect": "Allow",
"Action": [
"elasticmapreduce:Describe*",
"elasticmapreduce:List*"
],
"Resource": "*"
},
{
"Action": [
"cloudtrail:ListTags",
"cloudtrail:GetEventSelectors",
"events:*",
"sns:Set*",
"sns:Get*",
"sns:GetTopicAttributes",
"sns:DeleteTopic",
"sns:Create*",
"sns:Unsubscribe",
"sns:ConfirmSubscription",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:List*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Stmt1534849103503"
},
{
"Sid": "Stmt1445611948023",
"Effect": "Allow",
"Action": [
"dynamodb:Describe*",
"dynamodb:List*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948025",
"Effect": "Allow",
"Action": [
"elasticmapreduce:Describe*",
"elasticmapreduce:List*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948024",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948028",
"Effect": "Allow",
"Action": [
"cloudfront:Get*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948029",
"Effect": "Allow",
"Action": [
"elasticache:Describe*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948030",
"Effect": "Allow",
"Action": [
"config:Describe*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948035",
"Effect": "Allow",
"Action": [
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948036",
"Effect": "Allow",
"Action": [
"cloudfront:List*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948076",
"Effect": "Allow",
"Action": [
"kinesis:ListStreams"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948086",
"Effect": "Allow",
"Action": [
"glacier:ListVaults"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948089",
"Effect": "Allow",
"Action": [
"sqs:ListQueues",
"sqs:GetQueueAttributes"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948088",
"Effect": "Allow",
"Action": [
"workspaces:Describe*",
"elasticache:List*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948091",
"Effect": "Allow",
"Action": [
"s3:List*"
],
"Resource": "*"
},
{
"Sid": "Stmt1445611948092",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:TagResource",
"lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:UpdateFunctionConfiguration",
"lambda:GetFunctionConfiguration",
"lambda:UntagResource",
"lambda:UpdateAlias",
"lambda:UpdateFunctionCode",
"lambda:GetFunctionConcurrency",
"lambda:ListTags",
"lambda:DeleteAlias",
"lambda:DeleteFunction",
"lambda:GetAlias",
"lambda:CreateAlias"
],
"Resource": "arn:aws:lambda:*:*:function:*"
},
{
"Sid": "Stmt1445611948093",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"iam:PassRole"
],
"Resource": "*"
}
]
}
The Azure account is a globally unique entity that gets you to access Azure services and your Azure subscriptions. You can create multiple subscriptions in your Azure account to create separation, for example, for billing or management purposes. You can configure your Azure account in Beam to enable cost visibility and optimization capabilities for your Azure cloud resources. Once you configure the Azure account, Beam fetches your Azure cost data and provides insights on cost and optimization. For detailed procedure about onboarding the following two Azure billing account types, see
This section describes the procedure to add your first Azure enterprise agreement account in Beam. Beam fetches the billing data of all projects associated with the given billing account and provides visibility into your spend.
To add your Azure account, do the following:
Beam uses the Azure Active Directory (AD) application to interact with Azure Portal.
Enter the Domain Name , Tenant / Directory ID , Application ID , and Secret Key . Click How do I get it? to see on-screen instructions on getting the application configuration details from the Azure portal. Alternatively, see Configuring Azure App (Azure Portal).
Click Download Script to download the PowerShell script. Click How do I assign role? and follow the on-screen instructions to run the script in the Azure PowerShell . Alternatively, see Assigning Role (PowerShell).
Ensure that you observe the guidelines related to the PowerShell script created by Beam. For more information, see PowerShell Script Guidelines.
You can also assign roles manually. See Assigning Role (Without PowerShell).
If the enrollment is successful, the enrollment and associated tenant and subscriptions get captured in Beam.
To create a playbook for automating your regular workflows, you must configure an Azure Function App for your Enrollment account.
You can create multiple subscriptions in your Azure account to create separation, for example, for billing or management purposes.
Any subscription for which you have the owner access; and is not already configured in Beam is added in a few minutes.
To add tenants to your Azure account, do the following.
After your Azure account configuration in Beam is complete, you can verify if the configuration is correct.
To test if your Azure account is accessible, go to https://ea.azure.com/.
If you are able to access this page and no error message appears, your Azure access is correct.
To capture enrollment number, do the following.
To capture the enrollment access key, do the following.
To configure Azure app, do the following.
Azure Cloud - https://portal.azure.com/
Azure Government Cloud - https://portal.azure.us/
When the Azure App configuration credentials provided in the Beam console fail during validation, you can perform the following steps to validate them.
To troubleshoot the Azure app configuration step failure, do the following.
az login --service-principal --tenant TENANT_ID -u APPLICATION_ID -p SECRET_KEY --allow-no-subscriptions
In such a case, it is recommended to wait for 2 to 5 minutes and then click Next in the App Configuration step (step 4) . This should work without any error.
To assign a role, do the following.
cd | ls
./<file-name>.ps1
You can manually assign roles from the Azure Portal. Log on to the Azure Portal (Azure Cloud - https://portal.azure.com/, Azure Government Cloud - https://portal.azure.us/) and go to the Subscriptions page.
Perform the following steps after the Configuring Azure App steps of the enrollment onboarding process.
To manually assign roles, do the following.
To retrieve the tenant information, do the following.
You can use the Edit Subscriptions option to grant write permissions for your subscriptions.
To enable the write permissions for Azure subscriptions, do the following.
Beam simplifies onboarding using PowerShell scripts by eliminating the manual steps of permission and role assignments for multiple subscriptions.
Observe the following guidelines related to the PowerShell script created by Beam.
To avoid charges, delete the storage account after script execution.
This section describes the procedure to add your Azure MCA billing account in Beam. Beam fetches the billing data of all subscriptions associated with the given billing account and provides visibility into your spend.
To add your Azure MCA billing account, do the following:
Enter the Account ID and a name for your MCA billing account.
To know how to get your account ID from the Azure portal, click Read our documentation to see the on-screen the instructions. Alternatively, see Capturing MCA Billing Account ID (Azure Portal).
Beam uses the Azure AD application to interact with the Azure portal and to fetch billing, purchase, and pricing data.
For the on-screen instructions on how to create an Azure AD application, click Read our documentation .
For the on-screen instructions on how to get the application configuration details from the Azure portal, click How do I get client id? , How do I get secret key? , or How do I get tenant id? . Alternatively, see Configuring Azure MCA App (Azure Portal)
To provide the necessary permissions on the Azure portal, click Read our documentation to see on-screen instructions. Alternatively, see Assigning Billing Account Reader Role (Azure Portal).
If the Azure MCA billing account is onboarded successfuly, the associated subscriptions get captured in Beam.
To capture the account ID, do the following.
To configure Azure app, do the following.
For now, Beam supports only single tenant application.
The Azure portal displays the corresponding application's Overview pane.
This section describes how to assign the Billing account reader role to the application from the Azure Portal.
Perform the following steps after the Configuring Azure MCA App (Azure Portal) steps of the MCA onboarding process.
To assign Billing account reader role, do the following.
This section describes how to provide granular permissions at a subscription level to enable optimization and click-to-fix actions and manage your Azure AD applications.
You can also search for the subscription by typing its name in the search box.
The available options are as follows.For the on-screen instructions on how to get the application configuration details from the Azure portal, click How do I get client id? , How do I get secret key? , or How do I get tenant id? . Alternatively, see Configuring Azure MCA App (Azure Portal)
To run the script in Azure PowerShell , click How do I execute the script? and follow the on-screen instructions. Alternatively, see Assigning Role (PowerShell).
You can also assign roles manually. For more details, see Assigning Role (Without PowerShell)
A table that contains the applications is displayed.
A Edit Azure App pop-up window appears allowing you to update the App Name , Client ID , Secret Key , and Tenant ID .
For the on-screen instructions on how to get the application configuration details from the Azure portal, click How do I get client id? , How do I get secret key? , or How do I get tenant id? . Alternatively, see Configuring Azure MCA App (Azure Portal)
Click Save when you are done.
Click Delete in the confirmation pop-up window.
This section describes how to modify the Azure MCA billing account, application details, and configure permissions for multiple subscriptions within the Azure MCA billing account as a bulk update for billing or management purposes.
In the Edit permission for Subscriptions page, the permissions and entries for the subscriptions are displayed.
You can also search for the subscription by typing its name in the search box.
For the on-screen instructions on how to get the application configuration details from the Azure portal, click How do I get client id? , How do I get secret key? , or How do I get tenant id? . Alternatively, see Configuring Azure MCA App (Azure Portal)
To run the script in Azure PowerShell , click How do I execute the script? and follow the on-screen instructions. Alternatively, see Assigning Role (PowerShell).
You can also assign roles manually. For more details, see Assigning Role (Without PowerShell)
For the on-screen instructions on how to get the application configuration details from the Azure portal, click How do I get client id? , How do I get secret key? , or How do I get tenant id? . Alternatively, see Configuring Azure MCA App (Azure Portal)
Click Delete in the confirmation pop-up window.
To assign a permission, do the following.
cd | ls
.\<file-name>.ps1
This section describes how to manually assign permissions from the Azure Portal.
Perform the following steps after you configure the Azure MCA application as mentioned in the Configuring Azure MCA App (Azure Portal) section of the onboarding process.
To manually assign roles, do the following.
Beam Gov(US) is an isolated instance running in AWS GovCloud (US) region to cater specific regulatory compliance requirements of the US government agencies at federal, state, and local levels, government contractors, educational institutes, and other US customers who run sensitive workload in AWS GovCloud and Azure Government Cloud, and want to bring Cost Governance for their cloud infrastructure, gain visibility, optimize and control their spend. Beam Gov(US) provides a single plane consolidated view for Cost Governance.
Contact the sales team expressing an interest in using Beam Gov(US).
The request is forwarded for verification to the Nutanix GovCloud Security team. As part of the verification, you will receive a form through DocuSign that you must fill and send back.
Once the request passes through the verification, Customer Service initiates the account creation process, and the primary user is notified with login details through an email. The email contains verification link, upon verifying email, the user can login to the Beam Gov(US).
After your Beam Gov(US) signup is complete, you can start onboarding your GovCloud account in Beam.
In AWS, a GovCloud account is always attached to a commercial account. This commercial account can be a linked account or a payer account.
To start with adding the GovCloud account in AWS, click the Hamburger icon in the top-left corner to display the main menu. Then, click Configure > AWS Accounts .
You can view the list of AWS commercial accounts. You can click Add Gov Account against the commercial account to which you associated your GovCloud account. The Add AWS Account page appears.
The steps to add a GovCloud account is the same as to add an AWS commercial account. To add your GovCloud account, see Adding AWS Account (step 6 to step 10) .
After you complete the steps to add the GovCloud account, you can view the GovCloud account linked to the commercial account.
In the case of Azure Government account onboarding, the steps are the same as commercial account onboarding.
Make sure that you select US Government Cloud to add a GovCloud account in the Enrollment Type list.
For the remaining step-by-step details, see Adding Azure Account.
You can add and manage users for GovCloud using the Beam console.
To go to the User Management page, click the Hamburger icon in the top-left corner to display the main menu. Then, click Configure > User Management . To add a user, see Adding a Beam User.
In the case of AWS user management, the user may have access to the commercial account but no access to the GovCloud account linked to the commercial account. To give AWS GovCloud account access to a user, you must select the GovCloud account linked to the commercial account.
You can reset your password and enable or disable MFA from the Profile page in the Beam console.
To go to the Profile page, click the user drop-down menu on the top-right corner and select Profile .
To change your password, click the Change Password link.
To enable MFA, do the following.
The Enable Multi-factor Authentication page appears.
The virtual MFA application starts generating codes.
To disable MFA, click the Disable MFA link in the Profile page.
In the case your MFA device is lost or not accessible, click Login via OTP (for lost MFA)? link. Beam sends an OTP to your registered email id. Enter the OTP to login to Beam.
The following section describes how to configure the single sign-on feature for Beam Gov(US).
To configure the single sign-on feature, do the following.
A success message appears, displaying that the single sign-on is successfully configured.
You are redirected to your organization’s single sign-on application page.
Enter your credentials and login to Beam Gov(US).
After configuring the Azure account, ensure that you add all the tenants within your account in Beam for maximum savings recommendations. For more information, see Adding Azure Tenants.
Beam allows you to define configuration settings for your cloud cost data. Cost Configuration is a set of rules that allow you to update cost inputs manually, and also select cost presentation options, allocation model options, and reporting rules that define how the cost of cloud resources get reported in Beam.
Beam provides you with multiple options when performing AWS cost configuration to let you choose how you want to present the cloud spend in Beam.
All cost presented through Beam is generated depending on the options you select.
The Cost Logic selection is applicable for determining how AWS RI, Savings Plan, EDP, Credits, Refunds, and Taxes get reported in Beam.
In the case of taxes, AWS reports the amortized cost of the tax at the account level. Beam does the amortization calculation at the service, region, resource level, and so on.
The Amortized Cost logic is useful in cases where you want to view the cost of resources on an accrual basis considering the usage of RI, Savings Plan, Discounts, and Taxes specific to that resource.
If you select the Absolute Cost option as the cost logic, the cost of RI, Savings Plan, EDP, Credits and Refunds is shown as a separate line item, and cloud resource cost is reported without the apportioned cost of RI, Savings Plan, and so on. This results in a spike on the day monthly RI fee or upfront RI fee gets charged.
You can select between blended cost and unblended cost.
Beam provides you with the option to include or exclude the credits and refunds in the cost report irrespective of the Amortized Cost or Absolute Cost selection.
If you select the Include option, Credits and Refunds are shown in the cost report as a separate line item or amortized and apportioned to a resource depending on the selection between the absolute cost or amortized cost, respectively.
If you select the Exclude option, Credits and Refunds are not shown in the cost report to the user (for example, Scope or Cost Center viewers). It also gets excluded from the Analyze page.
AWS provides enterprises a discount on its services against a volume spend commitment. For example, an enterprise commits to spending $2 million on AWS services and receives a certain percentage of the discount. The enterprise must pay $2 million even if they do not spend the amount.
Beam provides you with the option to include or exclude the EDP discount in the cost report. EDP discount is applicable to both amortized and absolute cost logic.
If you select the Include option, EDP discount is shown in the cost report as a separate line item or amortized and apportioned to a resource depending on the selection between the absolute cost or amortized cost, respectively. If you select the Exclude option, EDP discount is not shown in the cost report to the user (for example, Scope or Cost Center viewers). It also gets excluded from the Analyze page.
You can add the EDP contract details in Beam. Adding the EDP contract details allows you to view the projected spend after the EDP discount in the Analyze page. Any discount from EDP from the current usage gets reported in CUR and Beam reports accordingly.
For future projections, you need to add contract details which Beam uses for projection.
This section provides the steps to configure the AWS cost logic. The cost report gets generated according to the logic you configure. Also, the configured logic applies to all the available views in Beam.
To configure the AWS cost logic, do the following.
For more information, see AWS Enterprise Discount Program (AWS EDP) .
AWS provides enterprises a discount on its services against a volume spend commitment. Adding the EDP contract details in Beam allows you to view the projected spend after the EDP discount in the Analyze page.
Do the following:
You can add multiple EDP contracts. Also, you can click Manage against an EDP contract to change the contract details.
Configure currency to view the cloud spend in your preferred currency.
The currency configuration reduces the ambiguity in analyzing cloud spend from different cloud providers who often provide billing data in different currencies. For example, GCP might report cloud consumption in INR while AWS report cloud consumption in USD. Consolidating the billing data from these different sources without considering currency type results in ambiguous reports and dashboards. In order to simplify multicloud cost governance, Beam allows you to configure a single currency to calculate spend data across all views. You can also configure the corresponding conversion rates for the configured currency or use dynamic rates that Beam provides.
Source currency is the currency that your cloud service provider reports billing. When you onboard multiple cloud billing accounts from different cloud providers or regions, you can see a consolidated list of all the source currencies in the respective billing data on the Currency Configuration page. If you onboard a GCP billing account reported in INR and an AWS payer account reported in USD, you will see INR and USD in the source currency list.
You can use this configuration to select the target currency and the corresponding conversion rates applicable for spend analysis across Beam.
To configure the currency, do the following:
In the text box, enter the exchange rates as shown in the following figure.
Limitations and guidelines to consider when using the currency configuration.
Beam uses the source currency provided in the billing data for assessing reserved instances and displays the data in source currency. Beam does not use the target currency provided in the currency configuration page for assessing reserved instances.
The following sections describe the dashboard view for your cloud accounts (AWS, Azure, or GCP), business units and cost centers (financial view), All Clouds (multicloud), and scopes.
The Dashboard provides a snapshot of your overall spend, spend analysis, Reserved Instances (RI) utilization, and spend efficiency.
You can also create a custom report to analyze the cost. To generate a custom report, click Build Custom Report at the bottom of the screen. For more information, see Creating Custom Reports (AWS).
The dashboard for Azure provides a holistic overview of your overall Azure spend.
Azure dashboard enables you to do the following cost management tasks.
View | Description |
---|---|
Spend Overview | Provides the total cost of services and subscriptions for your Azure account. You can change the view of the graph by switching between Services and Subscription views. The graph displays the top four costing services and subscriptions, and the remaining gets grouped under Others . To view the details of the cost, click the View All button, which redirects you to the Analyze page. |
Spend Analysis | Provides the cost trends distributed over the period. You can view the spend analysis based on the Daily or Monthly filters. To view the details of the cost, click the View Cost Analysis button, which redirects you to the Analyze page. |
Top Resource Groups | Provides the cost associated with the resource groups in your Azure infrastructure. This widget displays the top four costing resource groups and groups the remaining cost under Others . Click the Monthly or Daily selector icons to see monthly or daily views. To view the details of your selection, click the View All button, which redirects to the Analyze page. |
Spend Efficiency |
The spend efficiency widget displays the spending efficiency as percentage for the last seven days. The spend efficiency value helps to identify how well the Azure resources are getting utilized. The spend efficiency widget also shows the cost optimization opportunities as Potential Savings , Unused Resources , and Resizable Resources . To the optimization details, click the View Potential Savings button, which redirects you to the Save page. |
The GCP dashboard provides you a summarized and graphical view of your overall GCP spend across the billing accounts and resources. The dashboard provides you the current spends and projections of your GCP cloud resources.
View | Description |
---|---|
Spend Overview - Projects | Displays a pie chart of the spend breakup summary by GCP projects for the current month to date. To view details for your overall spend, click View Details , which redirects you to the Analyze page . |
Spend Analysis |
Displays a bar chart of the historical spend analysis along
with the summarized spend data based on the selected period.
|
Spend Overview - Services | Displays a pie chart of the spend breakup summary by GCP services for the current month to date. To view details for your overall spend, click View Details , which redirects you to the Analyze page . |
Spend Overview - Usage Type |
Displays a pie chart of the spend breakup summary by GCP usage types for the current month to date. To view details for your overall spend, click View Details , which redirects you to the Analyze page. GCP Compute Engine allows you to purchase committed use contracts in return for discounted prices for VM usage. You can purchase compute resources at a discounted price in return for committing to paying for those resources for one year or three years. |
Dashboard provides a snapshot of your overall spend, spend analysis, and spend efficiency.
This section provides detail for the following views - All Clouds , Financial , and Scopes . Click View in the top-right corner to open the View Selector and select different views.
Analyze allows you to drill down into your cloud spend, slice, and dice all the cloud cost data. You can analyze each cloud in detail across accounts, services, purchase options, and other different attributes. You can analyze data historically across days and past months.
Beam not only provides spend analytics on past data but uses its in-built algorithms to report on the spend anomalies, and forecast future spend patterns. This projection is available for the current month and next 6 months across accounts or services.
To view the Analyze page, click the Hamburger icon in the top-left corner to display the main menu. Then, click Analyze . Click View in the top-right corner to open the View Selector Pop-up and select the Cloud , Financial , or Scope view you want. The view selected from Dashboard , Report , Save , or Purchase gets persisted in Analyze and defaults to the last selected view.
The Analyze page displays the following:
Beam considers the last 150 days of cost data starting from T-3 days (T is the current date) and applies ML algorithms to project the cost for upcoming 6 months. The algorithms run daily and provide future cost projections.
In case the data is available for less than 150 days, Beam considers the available data to project the cost. If the cost data is not available, Beam shows the projected spend as zero. Beam starts displaying the projected spend as soon as data becomes available.
Analyze allows you to track cost consumption across all your cloud resources at both the aggregate and granular level. You can drill down cost further based on your services, accounts, or application workload.
This view provides deep visibility into your projected and current spend. Analyze displays a line chart to project cost consumption that helps you view and analyze your cost and usage across your organization.
To view the AWS cost analysis, select Analyze from the main menu. Then, click View in the top-right corner to open the View Selector and select AWS .
Other subscriptions charges filter - Subscription charges apart from RI charges and Marketplace charges. For example, APN annual fees.
View | Description |
---|---|
Overview | Displays the total AWS spend (subscription charges and taxes). |
Accounts | Displays the total cost of the linked accounts in your AWS payer account. |
Cost Centers | Displays the total spend grouped by Beam cost centers. This view includes the unallocated costs that are not tagged in your AWS account. |
Charge Types | Displays the total spend grouped by the AWS line item type. For example, credit, fee, tax, usage and so on. |
Services | Displays the total spend grouped by services. By default, this view displays the cost breakup of the top five services that are used the most in your AWS account. |
Regions | Displays the total cost grouped by regions. |
API Operation | Displays the total cost of all the API operation requests on your AWS services. |
Purchase Option | Displays the breakup of Reserved, Unused Reservation, Savings Plan, Unused Savings Plan, Spot and On Demand Cost. |
Tags | Displays the total cost based on the service tag applied to your AWS resources. You can click the tag drop-down list to select a service tag. |
The projected spend view provides insight into the actual and projected cost for the selected period. You can select different time ranges from the Time range drop-down list in the Filters option.
View | Description |
---|---|
Overview | Displays a line chart of the projected and actual spend for the selected period. |
Accounts | Displays a line chart of the projected and actual spend for all the linked accounts in your AWS account. |
Services | Displays a line chart of the projected and actual spend of the top five services that are used the most in your AWS account. |
You can track and set alerts for your AWS cloud budget. To set alerts, click Configure Budget Alerts at the top-right corner of the view. For more information, see Configuring Budget Alerts .
The Compute view provides the cost specific to all the compute resources configured on AWS. For example, EC2-Instance, EC2-NAT Gateway.
View | Description |
---|---|
Overview | Displays a line chart of the total spend for all the compute resources for the selected period. You can hover over the stacked bar to view the total spend for a specific day. |
Account | Displays a line chart of the total cost for all the linked accounts in your AWS payer account. |
Cost Centers | Displays the total spend grouped by Beam cost centers. This view includes the unallocated costs that are not tagged in your AWS account. |
Charge Types | Displays the total spend grouped by the AWS line item type. For example, credit, fee, tax, usage and so on. |
Sub Services | Displays a line chart of the total cost for all the sub-services activated in your AWS account. |
Instances | Displays a line chart of the total cost for all the instances purchased. |
Instance types | Displays a line chart of the total cost according to your instance type. |
Tags | Displays a line chart of the total cost based on the service tag applied to your AWS resources. You can click the tag drop-down list to select a service tag. |
View | Description |
---|---|
Overview | Displays a line chart of the total spend for all your database services configured in your AWS account for the selected period. You can hover over the stacked bar to view the total spend for a specific day. |
Accounts | Displays a line chart of the total cost for all the linked accounts in your AWS payer account. |
Cost Centers | Displays the total spend grouped by Beam cost centers. This view includes the unallocated costs that are not tagged in your AWS account. |
Charge Types | Displays the total spend grouped by the AWS line item type. For example, credit, fee, tax, usage and so on. |
Sub Services | Displays a line chart of the total cost for all the sub-services activated in your AWS account. |
Instances | Displays a line chart of the total cost for all the instances purchased. |
DB Engines | Displays a line chart of the total cost for all the database engines. |
Instance types | Displays a line chart of the total cost according to the instance type purchased. |
Tags | Displays a line chart of the total cost based on the service tag applied to your AWS resources. You can click the tag drop-down list to select a service tag. |
View | Description |
---|---|
Overview | Displays a line chart of the total spend for all your storage resources running on AWS for the selected period. You can hover over the stacked bar to view the total spend for a specific day. |
Accounts | Displays a line chart of the total storage cost for all the linked accounts in your AWS payer account. |
Cost Centers | Displays the total spend grouped by Beam cost centers. This view includes the unallocated costs that are not tagged in your AWS account. |
Charge Types | Displays the total spend grouped by the AWS line item type. For example, credit, fee, tax, usage and so on. |
Sub Services | Displays a line chart of the total storage cost split for all the sub-services activated in your AWS account. |
Buckets | Displays a line chart of the total storage cost grouped by all the buckets created in your AWS accounts. |
Tags | Displays a line chart of the total cost based on the service tag applied to your AWS resources. You can click the tag drop-down list to select a service tag. |
View | Description |
---|---|
Overview | Displays a line chart of the total spend incurred for all the data transfer across your AWS services for the selected period. You can hover over the stacked bar to view the total spend for a specific day. |
Accounts | Displays a line chart of the total cost for all the linked accounts in your AWS payer account that you are analyzing. |
Services | Displays the total cost for all the services activated in your AWS account. |
Regions | Displays a line chart of the total cost incurred in moving data according to the AWS regions. |
Resources | Displays a line chart of the data transfer cost grouped by the resources. |
Tags | Displays a line chart of the total cost based on the service tag applied to your AWS resources. You can click the tag drop-down list to select a service tag. |
Beam allows you to analyze your projected and current Azure cloud spends. Beam makes this planning process easy using machine intelligence and recommendation algorithms that analyze your workload patterns.
To view the Azure cost analysis, select Analyze from the main menu. Then, click View in the top-right corner to open the View Selector and select Azure .
The Analyze page has the following tabs.
View | Description |
---|---|
Overview | Actual and projected overall cost for the selected period. |
Subscriptions | Cost of subscriptions on your Azure account. |
Cost Centers | Total spend grouped by Beam cost centers. This view includes the unallocated costs that are not tagged in your Azure account. |
Services | Cost of Azure services based on the service category like data management, networking, and storage. |
Service Types | Cost based on the type of Azure service you consume. |
Regions | Cost based on the region in which the resource is hosted. |
Azure Cost Centers | Cost based on the configured Azure cost centers. |
Department | Cost based on the configured department. |
Resource Groups | Cost based on the configured resource group. |
Tags | Cost based on the tags applied on the Azure resources. |
The projected spend view provides insight into the actual and projected cost for the selected period. You can select different time ranges from the Time range drop-down list in the Filters option.
View | Description |
---|---|
Overview | The total cost of Azure billing accounts. |
Subscriptions | The actual and projected cost for the chosen Azure subscription for the selected period. |
Services | Cost of Azure services based on the service category like data management, networking, and storage. |
View | Description |
---|---|
Overview | Monthly or daily total usage cost for the VMs running on Azure. |
Sub Services | Monthly or daily split cost for the VM usage based on the different flavors of the VM. |
Cost Centers | Monthly or daily grouped by Beam cost centers. This view includes the unallocated costs that are not tagged in your Azure account. |
Regions | Monthly or daily cost for the usage based on the regions in which the VMs are deployed. |
Resource IDs | Monthly or daily cost for the usage based on the resource IDs of the VMs. |
View | Description |
---|---|
Overview | Monthly or daily total usage cost for the storage resource running on Azure. |
Sub Services | Monthly or daily split cost for the VM usage based on the different types of storage option configured. |
Cost Centers | Monthly or daily grouped by Beam cost centers. This view includes the unallocated costs that are not tagged in your Azure account. |
Regions | Monthly or daily cost for the usage based on the regions in which the storage resources are deployed. |
Resource IDs | Monthly or daily cost for the usage based on the resource IDs of the storage option. |
View | Description |
---|---|
Overview | Monthly or daily total usage cost for the database service running on Azure. |
Sub Services | Monthly or daily split cost for the VM usage based on the different types of database service configured. |
Cost Centers | Monthly or daily grouped by Beam cost centers. This view includes the unallocated costs that are not tagged in your Azure account. |
Regions | Monthly or daily cost for the usage based on the regions in which the database service is configured. |
Resource IDs | Monthly or daily cost for the usage based on the resource IDs of the database service. |
Analyze allows you to drill down into your cloud spend, slice and dice all the cloud cost data. You can analyze the GCP cloud spend in detail across projects, services, usage types, regions, and other attributes. You can analyze data historically across days and past months.
Beam not only provides spend analytics on past data but uses its in-built algorithms to forecast future spend patterns. This projection is available for the current month and next six months across projects or services.
To view the GCP cost analysis, select Analyze from the main menu. Then, click View in the top-right corner to open the View Selector and select GCP .
Analyze provides cost analysis capability for the GCP Billing account and the Project that you select from the View Selector . The view that you select from Dashboard and Report gets persisted in Analyze and defaults to the last selected view.
The Folder list displays the information in the Project/Folder/Sub-folder format. For example, 952341568867/664245889765/897640334598 .
The current spend view provides the current GCP cost and its breakdown based on the different usage and resource data.
View | Description |
---|---|
Overview |
Displays the total GCP spend. You can view the total spend for each day or month. Use the drop-down list in the top-right corner of the page to select Day or Month . |
Projects | Displays the total spend grouped by Projects associated with the GCP billing account. |
Cost Centers | Displays the total spend grouped by cost centers defined in Beam. This view includes the unallocated costs that are not tagged in your GCP billing account. |
Charge Types | Displays the total spend grouped by the GCP line item type. |
Service Types | Displays the total spend grouped by service type. For example: network, compute, and storage. |
Services | Displays the total spend grouped by services. |
Usage Types | Displays the total spend grouped by usage types. For example: OnDemand and Commit1Yr. |
Regions |
Displays the total spend grouped by regions.
Note:
A region is a specific geographical location
where you can host your resources. Regions have
three or more zones. For example, the us-west1
region denotes a region on the west coast of the
United States that has three zones: us-west1-a,
us-west1-b, and us-west1-c.
|
Zones | Displays the total spend grouped by zones. |
Labels |
Displays the total spend grouped by
labels that you added for your GCP
resources.
Note:
You can use labels to group
resources that are related or associated with each
other. For example, you can label resources
intended for production, staging, or development
separately, so you can easily search for resources
that belong to each development stage when
necessary. You always add labels as key and value
pairs.
|
View | Description |
---|---|
Overview | Displays the projected and actual spend for the selected period. |
Projects |
Displays the projected and actual spend for all the projects in your GCP billing account. |
Services | Displays the projected and actual spend for all the services in your GCP billing account or project. |
View | Description |
---|---|
Overview | Displays the total spend for all the compute resources for the selected period. You can hover over the graph to view the total spend for a specific day. |
Projects | Displays the total compute spend for all the linked projects in your GCP billing account. |
Cost Centers | Displays the total spend for all the compute resources grouped by cost centers. |
Charge Types | Displays the total spend for all the compute resources grouped by the GCP line item type. |
Services | Displays the total compute spend for all the services activated in the projects linked to the selected GCP billing account. |
Usage Types | Displays the total compute spend based on the usage types (OnDemand, Committed, and so on). |
Regions | Displays the total compute spend incurred across the GCP regions. |
Zones | Displays the total compute spend incurred across the GCP zones. |
Labels | Displays the total compute spend based on the labels applied to your GCP resources. You can click the Labels drop-down list to select a label. |
View | Description |
---|---|
Overview | Displays the total spend for all your storage resources running on GCP for the selected period. You can hover over the graph to view the total spend for a specific day. |
Projects | Displays the total storage spend for all the linked projects in your GCP billing account. |
Cost Centers | Displays the total storage spend for all the resources grouped by cost centers. |
Charge Types | Displays the total storage spend for all the resources grouped by the GCP line item type. |
Services | Displays the total storage spend split for all the services activated in the projects linked to the selected GCP billing account. |
Usage Types | Displays the total storage spend based on the usage types (OnDemand, Committed, and so on). |
Regions | Displays the total storage spend incurred across the GCP regions. |
Zones | Displays the total storage spend incurred across the GCP zones. |
Labels | Displays the total storage spend based on the labels applied to your GCP storage resources. You can click the Labels drop-down list to select a label. |
View | Description |
---|---|
Overview | Displays the total spend for all your network resources running on GCP for the selected period. You can hover over the graph to view the total spend for a specific day. |
Projects | Displays the total network spend for all the linked projects in your GCP billing account. |
Cost Centers | Displays the total network spend for all the network resources grouped by cost centers. |
Charge Types | Displays the total network spend for all the network resources grouped by the GCP line item type. |
Services | Displays the total network spend split for all the services activated in the projects linked to the selected GCP billing account. |
Usage types | Displays the total network spend based on the usage types (OnDemand, Committed, and so on). |
Regions | Displays the total network spend incurred according to the GCP regions. |
Zones | Displays the total network spend incurred according to the GCP zones. |
Labels | Displays the total network spend based on the labels applied to your GCP network resources. You can click the Labels drop-down list to select a label. |
The Analyze page allows you to track cost consumption across all your cloud resources (AWS, Azure, GCP, and Nutanix) at both the aggregate and granular level. You can drill down cost further based on the accounts, services, locations, or tags within your business unit or cost center.
This view provides deep visibility into your projected and current spend. Analyze displays a line chart to project cost consumption that helps you view and analyze your cost and usage across all clouds, business unit, cost center, or scopes you select.
To view the Analyze page, click the Hamburger icon in the top-left corner to display the main menu. Then, click Analyze . Click View in the top-right corner to open the View Selector pop-up and select All Clouds .
View | Description |
---|---|
Overview | Displays the total spend across all configured clouds. |
Accounts | Displays the total cost of the linked accounts in your AWS payer account, subscription of your Azure account, and projects associated with your GCP billing account. |
Cost Centers | Displays the total spend grouped by cost centers across all configured clouds. |
Services | Displays the total spend grouped by services. |
Regions | Displays the total cost grouped by regions. |
Tags | Displays the total cost based on the service tag applied to your resources. You can click the tag drop-down list to select a service tag. |
The projected spend view provides insight into the actual and projected cost for the selected period. You can select different time ranges from the Time range drop-down list in the Filters option.
In a view, you can drill down the cloud spend by clicking Filters . The Filters pane includes a set of fields that vary according to the cloud type. Select the desired resources to drill down your cloud spend and analyze only the resources of your interest. Further review the cloud spend analytics or download the reports specifically for these resources.
The anomaly detection feature in Beam is an intuitive cost governance mechanism for public clouds (AWS and Azure).
Anomaly detection identifies and reports cost spikes in your cloud account by analyzing the spending trend on your subscribed resources.
You can use anomaly detection to discover cost anomalies and the resources that are causing the anomalies to take corrective actions, like, optimizing or shutting down resources that are not legitimate. Anomaly detection is useful for dynamic environments and where static budget thresholds are less efficient since they do not process the historical consumption pattern.
Beam allows you to view anomalies detected in your AWS and Azure cost.
To view cost anomalies detected by Beam, do the following.
Go to the Analyze > Current Spend tab.
Cost anomalies detected on your spending pattern are highlighted with an arrow sign pointing to the date on which the spike is detected. You can hover over the arrowhead icon to see the percentage increase in cost from the previous day.
Beam generates reports to track cost consumption across all your cloud accounts at both aggregate and granular levels, like a functional unit, workloads, and applications.
The reports are generated automatically and are available to view, download, or share from the Beam console. The daily, weekly, and monthly reports are also sent to the registered Beam administrator email address automatically. To customize your email notification preferences, select Profile from the user menu in the top right corner. Then, select Email Preferences in the Preferences section.
Report | Description | Clouds Supported |
---|---|---|
System Reports | ||
Cost Report by Account | Contains month to date detailed spend information based on accounts, regions, and services. The latest report is generated by the end of the day according to your timezone every day. | AWS, Azure, and GCP |
New EC2 RI Recommendation Report | Contains instance-wise details such as region, platform, type, and reservation coverage. The latest report is generated by the end of the day, according to your timezone. | AWS |
EC2 RI Utilization Report | Contains EC2 reservation planning information based on the instance type, region, platform with a complete aggregated account view. The latest report is generated by the end of the day, according to your timezone. | AWS |
Cost Optimization Detailed Report | Contains detailed information about unused resources and rightsizing opportunities for the infrastructure of the selected account. The latest report is generated by the end of the day, according to your timezone. | AWS, Azure |
Tag Based EC2 Instance Type-wise cost Report | Contains tag-wise cost separation, which will help you monitor spend based on resource tags. It also contains a spending breakdown based on the instance type. The latest report is generated by the end of the day, according to your timezone. | AWS |
Bandwidth Summary Report | Contains transfer quantity in GB segregated by transfer type, account, service, resource, and region. The latest report is generated by the end of the day, according to your timezone. | AWS |
EC2 Detailed Insight Report | Contains resource-wise cost optimization details like incurred cost, rightsizing, RI, recommended action, and other information. The latest report is generated by the end of the day, according to your timezone every day. | AWS |
Weekly Reports | ||
Cost Report by Account | Contains detailed spend information based on accounts, regions, and services for the last week. The latest report is generated by Tuesday of every week. | AWS, Azure |
Spend Report by Tags | Contains spend information for the last week based on various resource tags for the selected account. The latest report is generated by Tuesday of every week. | AWS |
Cost Comparison Report | Contains cost comparison data according to accounts, regions, and services for the past two weeks. The latest report is generated by Tuesday of every week. | AWS |
Monthly | ||
Cost Report by Account | Contains detailed spend information based on accounts, regions, and services for the last month. The latest report is generated by the 7th of every month. | AWS, Azure, and Nutanix |
Spend Report by Tags | Contains spend information of last month based on various resource tags for the selected account. The latest report is generated by the 7th of every month. | AWS |
EC2 Spend Report | Contains spend information based on the EC2 instance type, platform, accounts, regions, and purchase option for the last month. The latest report is generated by the 7th of every month. | AWS |
Cost Comparison Report | Contains cost comparison data as per accounts, regions, and services for the last two months. The latest report is generated by the 7th of every month. | AWS |
Expired RI Report | Contains information regarding the RIs that expired in the last 90 days. The latest report is generated by the 7th of every month. | AWS |
Expiring RI Summary Report | Contains information about RIs expiring in less than 30 days, between 31 to 60 days, and between 61 to 90 days as well as their renewal cost. The latest report is generated by the 7th of every month. | AWS |
On Demand vs Reserved Hours Cost | Contains a comparison between On-Demand and Reserved hours based on the instance type. The comparison also includes savings incurred on reserved hours for the last month. The latest report is generated by the 7th of every month. | AWS |
Guidelines for the Share , Schedule , and Download report options.
Beam application generates reports to track cost consumption across all your cloud accounts at both aggregate and granular levels, like a functional unit, workloads, and applications.
To schedule reports, do the following.
Beam application generates reports to track cost consumption across all your cloud accounts at both aggregate and granular levels, like a functional unit, workloads, and applications.
To download reports, do the following:
Beam generates reports to track cost consumption across all your cloud accounts at both aggregate and granular levels, like a functional unit, workloads, and applications.
To share reports, do the following:
Custom reports help in strategic decision making and planning in the cloud. You can create a customized report by aggregating and filtering using various native cloud dimensions and attributes to get insights on cloud usage and cost. The Custom Reports page displays a list of all the custom reports created.
You can create a new report by clicking Add Custom Report at the top-right corner of the Reports > Custom . You can view, edit, schedule, share, download reports (CSV) or delete a previously created report by selecting the options next to the report name. To find a previously created report, start typing the report name in the search bar and select from the auto-populated options.
For more information, see Creating Custom Reports (AWS) and Creating Custom Reports (Azure).
You can create a customized report to analyze the cost and usage across your AWS Accounts, Services, Region, and so on based on the defined range and filters.
To create a custom report, do the following.
You can create a customized report to analyze the cost and usage across your Azure Subscriptions, Products, Region, and so on based on the defined range and filters.
To create a custom Azure report, do the following.
Beam generates reports to track cost consumption across all your cloud accounts at both aggregate and granular levels like a functional unit, workloads, and applications.
To view the reports, click the Hamburger icon in the top-left corner to display the main menu. Then, click Reports . You can use the View Selector to select the business unit, cost center, or scope.
You can click the drop-down menu at the top-right corner to select the Daily Reports or Yearly Reports .
Report | Description |
---|---|
Cost Summary Reports | Contains month to date detailed spend information based on accounts, regions, and services. Beam generates the latest report by the end of the day according to your timezone every day. |
Cost Optimization Detailed Reports | Contains detailed information about unused resources and rightsizing opportunities for the infrastructure of the selected business unit or cost center. Beam generates the latest report by the end of the day according to your timezone every day. |
Historical Budget Reports | Contains past financial year budget reports along with the quarterly summary data and service-wise cost breakdown for each quarter. Click View All to view the list of reports for the past financial years. |
The Chargeback feature enables the financial control of your cloud spends by providing the ability to allocate cloud resources to departments based on definitions. Chargeback also provides a consolidated view across all your cloud accounts in a single pane of finance view.
A business unit is defined as a collection of cost centers. You can use the business units to define hierarchies in your organization between different departments. It is not necessary to define a business unit to view chargeback. You can also define chargeback only based on cost centers.
A cost center is a collection of resources within a single or multiple cloud accounts (AWS, Azure, and GCP). You can assign the resources to the cost center based on tags. You can either allocate a complete account or resources within an account to a cost center.
Unallocated resources are the resources that do not belong to any of the cost centers based on definitions.
Unallocated resources include the following.
The following image describes an example of a multicloud configuration. The cost center consists of Nutanix, AWS, Azure, and GCP resources.
To add a business unit, do the following.
You can edit (or delete) an existing business unit.
To edit a business unit, do the following.
To add a cost center, do the following.
Beam allows you to edit (or delete) an existing cost center.
To edit a configured cost center, do the following.
To allocate an unallocated resource for chargeback, do the following.
An administrator can do the following.
You can select the Allocated and Unallocated options in the top-right corner of the page to view the cost details for allocated and unallocated resources.
In the Unallocated Cost table, you can use the Allocate button to allocate resources to a cost center. To allocate the unallocated resources to cost centers, see Allocating Unallocated Resources To Cost Center.
In the Allocated Cost table, an administrator can browse through all the business units and cost centers (created by the administrator) to view detailed information.
View | Description |
---|---|
Spend Overview | Displays a pie graph of the cost breakup summary for the allocated and unallocated resources. |
Spend Analysis - Unallocated Cost |
Displays a bar graph of the historical spend analysis for the unallocated resources with an actual and projected spend for the last three months. |
Spend Analysis - Allocated Cost | Displays a bar graph of the historical spend analysis for the allocated resources with an actual and projected spend for the last three months. |
Top Spend | Displays the services and accounts that are consumed the most in your business unit or cost center. You can use the drop-down list in the right corner to select Top services or Top accounts . |
Unallocated Cost |
Displays detailed information for the unallocated resources that include the following.
You can also allocate unallocated resources to a cost center. For more information, see Allocating Unallocated Resources To Cost Center. |
Allocated Cost |
Displays detailed information for the allocated resources that include the following.
In the Actions column, you can click the Edit and Delete buttons to edit the resource details or delete the resource. You can use the drop-down list in the top-right corner of the Allocated Cost table to filter the resources by business unit, cost center, or business unit and cost center. You can also click the share and download icons in the top-right corner to share or download the resource details. |
The owners and viewers can view the business units and cost centers for which they have access.
You can use the View Selector (public cloud) and View Selector (Nutanix) to select the business unit or cost center.
The following table describes the widgets available for business unit and cost center views.
View | Description |
---|---|
Spend Overview | Displays the total spend cost (month to date) and the projected spend cost for the business unit or cost center. |
Spend Analysis - Allocated Cost | Displays a bar graph of the historical spend analysis for the allocated resources with an actual and projected spend for the last three months. |
Top Spend | Displays the services and accounts that are consumed the most in your business unit or cost center. You can use the drop-down list in the right corner to select Top services or Top accounts . |
Allocated Cost |
Displays detailed information for the allocated resources (within a cost
center) that includes the following.
You can use the expand icon to view details about services within the
account or subscription.
Note:
If the pulse was not available for a Nutanix cluster
for a given number of days in a month, the
Unmetered Cluster
Cost
line item appears showing the cluster cost incurred for those
days. For more information, see Cost Analysis (Nutanix).
You can click View Details against each service to view the resource details. You can also click the share and download icons in the top-right corner to share or download the detailed report for the cost center. |
The Budget feature in Beam extends the budgeting capability for a business unit, cost center, or scope. A budget allows you to centralize the budget at the business unit, cost center, or scope levels to ensure that your consumption is within the budget that you have defined. You can also create custom budgets.
Beam monitors and tracks the consumption continuously, and you can track any threshold breaches to the budgets that you have configured using the Budget page in the Beam console. Organization level budgets can be tracked at the quarterly or yearly level basis for the selected business unit, cost center, or custom budgets.
The Budget page allows you to view the budget cards based on the budgets that you have configured for your cloud accounts.
The budget card for a business unit or cost center displays the Financial Year , Budgeted , Current Spend , Estimated , and Data Updated information. It also displays the budget spend and the actual spend in a graphical format. You can also edit the budget details or delete an existing budget using the Budget page.
You can define and track a budget based on the following resource groups.
You can add a threshold for your budget alerts. When the budget reaches the threshold you specified, Beam sends a notification to the email addresses you enter when creating the budget alerts.
In the top-right corner, you can click the Expired button to view the expired budgets.
You can do the following in the expired budgets view.
Beam allows you to create Budgets based on the resource groups that you have defined.
To add a global Budget, do the following.
You can add percentages of the total budget value. When the budget reaches the threshold value you entered, Beam sends a notification via an email to the email addresses you enter.
You can add alerts for the following periods.
You can view your budget details from the Budget page in Beam. To view budget details, click View Details option in any of the budget cards. The Year Breakup and Cost Breakup for the budget is displayed.
To download or share the cost breakup report, click the download or share icon.
You can edit the budget alerts for the cost centers and business units in the Budget page. In the Budget page, you can view the budget cards for your cost centers and business units.
To edit the budget alerts for your cost centers, business units, or scopes, do the following.
You can edit the period and threshold values.
The following sections describe the Save page for the AWS and Azure accounts.
Save allows you to optimize your cloud usage by saving money on your total AWS bill. Beam helps you to identify underutilized resources for EBS, EC2, ElastiCache, RDS, EBS, and Redshift.
This view helps you in saving money for your current incurring spends. Beam identifies unused and underutilized resources and provides a specific recommendation for optimal consumption.
View | Description |
---|---|
Projected Savings |
Displays a line chart of the cost-efficiency in terms of cost, saving
opportunities, and the resources being utilized. This view provides the following metrics.
|
Optimization Opportunities |
Displays total savings of the unused resources and underutilized resources. This
view helps you in optimizing your AWS resources. This provides the following metrics:
|
View | Description |
---|---|
Eliminate Unused Resources | Displays a list of the resource category and the total saving incurred in each category. You can delete unused resources to reduce your AWS expenditures. You can view the unused resources under each category by clicking the View List option. The detailed list displays all the resources along with resource name, region, and potential savings per month accrued if you eliminate the resource. |
Edit Cost Policy | You can configure individual audits by clicking the Edit Cost Policy option. |
Eliminate | If you want to delete an unused resource, select the check box in front of the resource name and click Eliminate . You can delete multiple resources at once by selecting the check box for the resources that you want to delete and click Eliminate Selected . |
Suppress | If you want to remove the suggestions for deleting an unused resource, select the check box in front of the resource name. Under Reason for suppress , type a reason to suppress the suggestion and click Suppress . You can remove suggestions for multiple resources at once by selecting the check box for the resources that you want to suppress and click Suppress Selected . |
view | Description |
---|---|
Optimize Cloud Resources | Displays a list of underutilized resources and the total savings accrued after rightsizing the underutilized resources. To view a detailed list of the underutilized resources, select a resource category and click View List . The detailed list displays all the resources along with resource name, region, and potential savings per month accrued if you optimize the resource according to the suggestion. |
Edit Cost Policy | You can configure individual audits by clicking the Edit Cost Policy option. |
How to optimize | If you want to optimize a resource, select the check box in front of the resource name and click How to optimize . This displays the details for optimizing the resource. |
Suppress | If you want to remove the suggestions for deleting an underutilized resource, select the check box in front of the resource name. Under Reason for suppress , type a reason to suppress the suggestion and click Suppress under the resource name and enter a brief message. You can remove suggestions for multiple resources at once by selecting the check box for the resources that you want to suppress and click Suppress Selected . |
Optimization Chart | You can expand the resource item to view the optimization chart. For more information, see Optimization Recommendation Metrics Chart (AWS). |
View | Description |
---|---|
Suppress |
Displays a list of resources that you have suppressed. You can restore these
resources if required. To restore, click
Restore
next to the
resource name that you want to restore.
You can view potential savings on the suppressed resources. You can also expand the suppressed items to view the resource information. |
View | Description |
---|---|
History | Displays the cost and time saved after deleting your unused AWS resources. You can also view the user who carried out the one-click fix. You can filter the list based on regions and audits. History also displays the potential savings on your unused resources that you have deleted. You can also expand the History items to view the resource information. |
This section describes the steps to configure memory metrics for the underutilized EC2 instances in Beam. Memory metrics data allows Beam to provide better recommendations for the underutilized EC2 instances.
To configure memory metrics for the EC2 instances, do the following.
You can expand the resource item to view the optimization chart. Beam provides utilization for the metrics that it considers for the recommendation.
This option is available for the Underutilized EC2 audit.
Beam allows you to save on your currently incurring spends on Azure based on the deep visibility it has into your Azure resources and subscriptions. Beam helps you to identify underutilized resources for Virtual Machines, Redis Cache, SQL DataWarehouse, Azure SQL Databases, PostgreSQL Server, Managed Disks, and MySQL Server.
Beam proactively identifies idle and underutilized resources, and delivers specific recommendations to right‑size infrastructure services and ensure optimal consumption.
In addition to cost monitoring, Beam allows the following actionable insights with the Save option:
View | Description |
---|---|
Overview | The Overview option provides actionable insights with a graphical representation of the cost-saving opportunities determined by looking into all the running resources like compute, storage, and services. |
Eliminate |
The Eliminate option provides the list of unused resources that you can delete to reduce your Azure expenditure. Click any of the resource category, or select View List , to see the detailed list of unused resources within that category. The detailed list provides the resource name, region, and potential savings per month accrued if the resource is eliminated. You can also drill down further to see the details of the resource.
Click
Eliminate
to delete unused resources from the list of
recommendations. You can view the list of deleted resources in the
History
tab.
Note:
Click Suppress to suppress the particular resource from the being suggested in the Eliminate analytics. Click Edit Cost Policy to configure individual audits. |
Optimize |
The under-utilization of the resources is determined by analyzing the metrics of the resources and comparing them against a standard set of criteria for different Azure resources and services. The Optimize option shows a list of all the underutilized resources you can optimize for saving cost. It also shows the total savings accrued after rightsizing such resources. Click any of the resource category, or select View List , to see the detailed list of unused resources within that category. The detailed list provides the resource name, region, and potential savings per month accrued if the resource is optimized per the suggestion. You can also drill down further to see the details of the resource or click Suppress to suppress the particular resource from the being suggested in the optimize list. Click Edit Cost Policy to configure individual audits. You can expand the resource item to view the optimization chart. For more information, see Optimization Recommendation Metrics Chart (Azure). |
Suppressed |
The Suppressed option shows the list of resources that are suppressed from eliminate and optimize analytics. While suppressing a resource, you are prompted to add a reason for suppressing the particular resource. To restore a particular resource from the suppressed list of resources, click Restore . You can view potential savings on the suppressed resources. You can also expand the suppressed items to view the resource information. |
History | Displays the cost and time saved after deleting your unused Azure resources. You can also view the user who carried out the one-click fix. You can filter the list based on regions and audits. History also displays the potential savings on your unused resources that you have deleted. You can also expand the History items to view the resource information. |
You can expand the resource item to view the optimization chart. Beam provides utilization for the metrics that it considers for the recommendation.
The Save page allows you to optimize your cloud usage by saving money on your total AWS and Azure bills within your business unit, cost center, or scope. In the financial and scopes views, you can only view the resources that are unused or underutilized since scopes have read-only access. You need account-level access to perform eliminate or suppress actions.
This section provides detail for the following views - All Clouds , Financial , and Scopes . Click View in the top-right corner to open the View Selector pop-up and select different views.
This view helps you in saving money for your current incurring spends. Beam identifies unused and underutilized resources and provides a specific recommendation for optimal consumption.
View | Description |
---|---|
Overview | The Overview option provides actionable insights with a graphical representation of the cost-saving opportunities determined by looking into all the running resources like compute, storage, and services. |
Eliminate |
You can view the list of unused resources along with the potential savings by eliminating those resources. The Eliminate option is not available for business units, cost centers, and scopes. |
Optimize |
The under-utilization of the resources is determined by analyzing the metrics of the resources and comparing them against a standard set of criteria for different cloud resources and services. The Optimize view shows a list of all the underutilized resources you can optimize for saving cost. It also shows the total savings accrued after rightsizing such resources. The Optimize option is not available for business units, cost centers, and scopes. |
History | Displays the cost and time saved after deleting your unused resources. You can also view the user who carried out the one-click fix. You can filter the list based on accounts, regions, and audits. History also displays the potential savings on your unused resources that you have deleted. You can also expand the history items to view the resource information. |
An audit is a set of rules to filter resources based on the usage parameters used to determine if a specific resource is unused or underutilized. Beam application allows you to define various parameters of an audit. A collection of these audits form a cost policy.
The application allows you to define a specific policy for each cloud account. By default, the application provides you with a system policy for each cloud. You can clone the system policy to create custom policies. You can create multiple custom policies with different configurations and assign them to different cloud accounts.
In the top-right corner of the page, there are two types of views available for you to select.
Configuring a custom cost policy includes the following steps.
To configure a cost policy, do the following.
Also, you can modify a policy. In the More list, click Edit to open the Edit Cost Policy page. Edit the fields you want and click Update Policy to save your changes.
The following sections describes the Purchase page for the AWS, Azure, and Nutanix accounts.
Reserved Instances (RI) allows you to reserve resources for a specific availability zone within a region.
The following table describes the information you can view in the Overview tab.
View | Description |
---|---|
RI Coverage | Displays a line chart of the RI coverage for the selected period by comparing the average RI coverage with the current RI coverage. |
RI Status | Displays the used, unused, and underutilized reservations status. |
RI Calculator | Displays the potential savings, on demand cost, total RI cost, and percentage saving. To view more details, click View RI Recommendations . |
Top Beam Recommendations | Displays the top three cost saving recommendations. To view all the recommendations, click View All Recommendations . |
The following table describes the information you can view in the Coverage tab.
View | Description |
---|---|
RI Coverage | Displays a line chart of the RI usage for the time range selected and provides a percentage of average RI coverage and current RI coverage over the selected time range. The RI Coverage report helps you to discover how much of your overall instance usage is covered by RIs to help you make informed decisions about when to purchase or modify a RI to ensure maximum coverage. |
The following table describes the information you can view in the Portfolio tab.
View | Description |
---|---|
Portfolio | Displays detailed information about the EC2 reserved instances in your AWS account. In the Utilization column, you can view if the reserved instance is used, unused, or underutilized. |
Beam provides three RI change recommendations for unused RIs (convertible type) along with the steps to exchange RI.
Consider that you purchased a convertible type RI and paid $800 upfront for one year. However, the RI is not used actively, say after 3 months. Beam identifies the potential to change this unused RI to a different type of RI that you can use continuously.
Amount you already consumed: (3 months / 12 months) * $800 = $ 200
Amount of consumption left: ($800 - $200) = $600
The new RI change recommendation identified by Beam requires you to pay $700 upfront for a further one year. The remaining credit of $600 applies towards the new RI recommendation, and you are required to pay another $100 for the new RI recommendation. The new RI recommendation is available for use for 12 months from the date of RI change and aligns better with your ongoing consumption of instances. Thus, the RI recommendations dynamically provided by Beam helps you to realize significant savings in the long term based on your real consumption.
Savings Calculation |
---|
Upfront cost paid: $800 |
Additional cost paid according to Beam recommendation: $100 |
Total cost paid for RIs: $900 |
RI value used for the first three months: $200 |
RI value available for the next twelve months: $700 |
Savings realized by using Beam’s recommendations: ($800+$700) - ($900) = $600 over a 15-month period |
Beam also displays the potential savings per year for each change recommendation type. If a Reserved Instance is not in use for more than seven days, Beam considers the RI as unused and provides change recommendations (wherever applicable) for the RI.
To view the change recommendations, go to Change tab.
You can view the list of RI change recommendations. You can expand each row to view further details. You can view the three recommendation types - Best-Fit , Min True-Up Cost , and Max Savings .
The following table describes the information you can view in the Change tab.
View | Description |
---|---|
Change |
Displays a list of RI change recommendations. You can view the
account and the reserve instance ID within that account, which Beam
recommends for exchange.
You can expand each line item to view the recommendation types ( Min True-up Cost , Max Savings , and Best-Fit ). |
View Details | You can click View Details for each recommendation type to view detailed information (contract details, savings, steps to exchange RI etc.). |
Existing Contract | Displays detailed information about the existing contract that includes the type of RI, family, location, remaining time, remaining upfront value, and so on. |
Target Contract | Displays detailed information about the target contract that includes the recommended RI type, family, quantity, true-up cost, and so on. |
Savings | Displays the savings detail. Beam calculates the savings based on the difference between the on-demand cost and the RI cost of the recommended RI type. |
Steps to Exchange RI | Displays the steps to perform the RI change. |
Utilization Chart | Displays the utilization of reserved versus on demand hourly coverage for the selected time range. |
Breakeven Analysis | Displays the spend comparison of the selected RI payment option versus on-demand considering complete RI utilization. |
Matching Instance List | Displays the resources that are running or ran in the time range selected. You can use the View Options area in the bottom-right corner to filter the matching instance according to the accounts and tags. |
The following table describes the information you can view in the Buy tab.
View | Description |
---|---|
RI Purchase Recommendation | Provides a list of instances that you can purchase and displays on-demand cost, reservation cost, and savings for those instances. You can view further details about instances by clicking the arrow next to the instance name. |
Utilization Chart | Displays the utilization of reserved versus on demand hourly coverage for the selected time range. |
Breakeven Analysis | Displays the spending comparison of the selected RI payment option versus on-demand, considering the RI is completely utilized. It also shows the exact date when the on-demand cost overtakes the RI cost. |
Matching Instance List | Displays the resources that are running or ran in the time range selected. You can use the View Options area in the bottom-right corner to filter the matching instance according to the accounts and tags. |
You can use the Filters section at the right corner to select the recommendation parameters you want. Click Apply after you select the recommendation parameters you want.
Azure reservations provide a billing discount on reserving resources or capacity for either one-year or three-year periods.
Beam provides you a single pane of glass management to realize maximum savings on your reserved VM instances (RIs) on Azure. Beam reduces the complexity involved in planning, budgeting, and managing RIs by providing insights on overall RI usage statistics, recommended RI purchases, managing existing RI portfolio, and RI coverage.
You can view the Azure RI option in Beam at the department, account, or subscription levels.
Task | Description |
---|---|
RI Coverage | The RI Coverage widget displays a graph of RI usage. The RI usage graph provides a percentage of your infrastructure covered under reservation benefits. This widget also displays average RI coverage and current RI coverage over the selected time range (default 7 days). You can click View Coverage to be redirected to the Coverage tab where you can view the RI coverage in detail by using the Filters . |
RI Status | The RI Status widget displays the status of used, unused, and underutilized reservations as percentages and reservation units. The units of reservations shown here are the sum of the smallest VM size in the same VM series. |
RI Calculator | The RI Calculator is an interactive widget for pricing comparison of on-demand and reserved instances in Azure. The widget provides the potential savings, on-demand cost, Total RI cost, and percentage savings based on the period (1 year or 3 years) and scope (single or shared) of reservation parameter that you select. |
RI Top Recommendations | You can click View RI Recommendations to be redirected to the RI Recommendations tab to see detailed RI purchase recommendations. |
The RI Coverage tab displays a graph of existing RI usage. In the RI tab, you can view the percentage of your infrastructure covered under reservation benefits.
RI Coverage displays the average RI coverage and current RI coverage over the selected time range. The RI Coverage report allows you to discover how much of your overall instance usage is covered by RIs to help you make informed decisions about when to purchase or modify a RI to ensure maximum coverage.
Also, you can use Filters to sort the coverage report for specific reservation parameters.
The Portfolio tab displays the detailed information about the VM reserved instances in your account. In the Status column, you can view if the reserved instance is used, unused, or underutilized.
Beam provides Reserved Instance (RI) purchase recommendations for your virtual machines instances running on Azure. The recommendations are based on your past usage and indicate potential opportunities for savings as compared to on-demand usage.
To refine the available recommendations, you can adjust the Recommendation Parameters by using the View Options .
Also, use Filters to sort the recommendations based on Sizes and Regions .
You can click View Details to view utilization chart, breakeven analysis, cost comparison, matching instance list, and applicable filters.
Task | Description |
---|---|
RI Purchase Recommendation | Provides a list of instances that you can purchase and displays on-demand cost, reservation cost, and savings for those instances. You can view further details about instances by clicking the arrow next to the instance name. |
Utilization Chart | Shows the utilization of on-demand versus reserved hours for a chosen time period. |
Breakeven Analysis | Displays the spending comparison of the selected RI payment option versus on-demand, considering RI is completely utilized. It also shows the exact date when the on-demand cost overtakes the RI cost. |
Cost Comparison | Shows the spending comparison of all upfront RI versus on-demand considering complete RI utilization. |
Matching Instance List | Shows the list of VM instances to which the selected RI may apply. |
Playbooks let you automate actions on your public cloud environment for better cloud management. It helps you to improve your operational efficiency by reducing manual intervention. You can create a playbook to schedule action on your cloud resources and automate regular workflows. For example, you can shut down your test environments during non-business hours.
Refer to the following diagram to get an understanding of the Playbooks workflow.
You must perform a few configurations before starting to create a playbook. Let us understand each of the configurations in more detail.
To execute a playbook, Beam needs permission to create and invoke certain functions in your public cloud environment.
Beam does not require write permissions on your cloud resources. You can add the action logic in the action template and it gets executed in your configured runtime environment. For example, you can add logic to start or stop an AWS EC2 instance in the action template. The specified function is invoked in the AWS Lambda environment according to the schedule (time-based trigger) you define when creating a playbook in the Beam console.
The function logic is defined in the system action templates provided by Beam. You can also create custom templates according to your requirements. The action template corresponds to the script that would take action when deployed in a runtime environment, that is, AWS Lambda or Azure Function. For more information, see Action Template.
Beam needs certain permissions on the AWS and Azure environments to execute Playbooks. You need to perform separate onboarding steps (AWS and Azure) for enabling accounts for Playbooks.
Beam needs permission to create and invoke the AWS Lambda function in your AWS environment to execute a playbook.
The required code is written in the Action Template. You have to select an action template when creating a playbook. Beam provides the code for system templates. Provide the code if you are using a custom template. For more information, see Action Template.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:TagResource",
"lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:UpdateFunctionConfiguration",
"lambda:GetFunctionConfiguration",
"lambda:UntagResource",
"lambda:UpdateAlias",
"lambda:UpdateFunctionCode",
"lambda:GetFunctionConcurrency",
"lambda:ListTags",
"lambda:DeleteAlias",
"lambda:DeleteFunction",
"lambda:GetAlias",
"lambda:CreateAlias"
],
"Resource": "arn:aws:lambda:*:*:function:*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": ["lambda:ListFunctions","iam:PassRole"],
"Resource": "*"
}
]
}
To provide these sets of permissions to Beam, you must execute the CloudFormation Template (CFT) when onboarding an AWS account. Also, ensure that you select the write access permissions when performing the account onboarding workflow.
In the case of Azure, you must create an Azure Function App in the Azure portal and configure the same application in Beam for the onboarded accounts.
Playbooks need access to the Azure Function app to create Azure functions. Refer to this section to create the Azure Function App in the Azure Portal.
To create an Azure Function App in the Azure portal, do the following:
Option | Description |
---|---|
Subscription | Select the subscription under which you want to create the function app. |
Resource Group | Select the resource group in which you want to create the function app. |
Function App name |
Enter a name that identifies your new function app.
Valid characters are a-z (case insensitive), - and
0-9.
Note:
The function app name must be globally
unique.
|
Runtime Stack | Select Python . |
Version | Select python version 3.8. |
Click Next: Hosting to go to the Hosting page.
Option | Description |
---|---|
Storage account |
Create a storage account to be used by your function app.
Storage account names must be between 3 and 24 characters in length and can contain numbers and lowercase letters only. You can also use an existing account, which must meet the storage account requirements. For more information, see Azure Functions Documentation . |
Operating system | An operating system is pre-selected for you based on your runtime stack selection. Linux is selected for the python runtime stack. You must not change the default selection that is Linux. |
Plan Type |
Select
Premium
or
App
service plan
.
Note that a function app with the plan type as Consumption (Serverless) is not supported by Beam. This plan type does not support the deployment service that Beam uses to deploy functions. |
Click Next: Monitoring to go to the Monitoring page.
Then, click Next : Tags to go to the Tags page.
Then, click Next : Review + create .
These entries are needed to perform a remote build when deploying functions in the Function App.
Refer to this section to configure the Azure Function App for an Azure account in the Beam console.
To configure the Azure Function App for an Azure account, do the following:
The Create Azure Function App window appears.
When configuring the Azure Function app in Beam, you need to enter the function app name, deployment user, deployment password, and function app leader key. This section describes the steps to fetch these information from the Azure portal.
The XML file contains the deployment user and deployment password.
In the function app home page, click App Keys . Click on the hidden value and copy the leader key. Refer to the following image for better understanding.
The Action Library page provides you a wide range of action templates that can be used in Playbooks.
The action template corresponds to the script that would take action when deployed in a runtime environment, that is, AWS lambda or Azure function. For example, an action can be Stop AWS EC2 Instances , Stop AWS RDS Instances , or Start Azure VM Instances .
Let us understand the input parameters in detail.
The Input Parameters consist of static inputs and dynamic resource-level inputs.
Input Parameter | Description |
---|---|
Params |
The static inputs correspond to each playbook execution. This
means that these inputs remain the same for each execution of
the playbook.
There are two types of Params: Plain Text and Protected . |
Plain Text |
The value of the key gets stored as plain text. When creating the template, you can define multiple keys. You have to enter the value for each key while creating a playbook. Example: For the Start Azure VM Instances template, the defined keys are tenant Id, client Id, and secret key. When creating an Azure playbook for starting a VM, you have to enter the values of these keys. These values get stored in plain text. |
Protected |
The value of the key is stored as a ciphertext. For example, select Protected as the input type for the secret key.
Note:
|
Dimensions |
Corresponds to the data for each resource within the defined
resource group.
Example: The dimensions defined for the Start Azure VM Instances template are VM name , Subscription Id , and resource group name . Suppose you are creating an Azure playbook to start VM instances using this system template. While executing the playbook, Beam searches for all the VMs within the defined resource group and adds the corresponding information to the input object of the script. The input object will contain the dimensions as a list with the name resourceList .
See the following
sample input object:
|
Resource Type | Supported Dimensions |
---|---|
AWS EC2 | instanceId , region , instanceName , accountId , serviceType , tags , instanceType , state . |
AWS EC2 AMI | imageId , name , creationDate , imageState , region , imageState , imageOwnerAlias , tags , accountId |
AWS EC2 EBS Snapshot | snapshotId , accountId , serviceType , region , tags , description , isEncrypted , snapshotStartTime , ownerId , ownerAlias , state |
AWS EC2 Auto Scaling Group | name , desiredCapacity , maxSize , minSize , region , createdTime , autoScalingGroupARN , accountId , serviceType , tags |
AWS RDS | region , accountId , dbInstanceIdentifier , serviceType , tags , dbInstanceArn , dbInstanceClass , engine , dbInstanceStatus . |
Azure VM | instanceId , accountId , serviceType , region , tags , powerState , osType , size , resourceGroupName , name . |
Beam provides predefined templates that already contain a python script for executing a specific action.
Refer to the following table to know about the supported system templates and their corresponding input parameters.
Resource Type | System Template | Description | Additional Parameters |
---|---|---|---|
AWS EC2 | Start AWS EC2 Instances | Used to start EC2 instances. | None |
Stop AWS EC2 Instances | Used to stop EC2 instances. | None | |
Create AMI For EC2 Instance | Used to create AWS EBS-backed AMI for the selected EC2 instance. |
|
|
Create EBS Snapshots | Used to create snapshots of all the EBS volumes attached to the selected EC2 instance. |
|
|
Cleanup AMIs by Max Images To Retain |
Used to cleanup backed-up EC2 AMIs, retaining only the specified
number of latest AMI(s) and deleting the remaining images.
Note:
This
action only considers the AMIs created through the
Create
AMI For EC2 Instance
system template.
|
maxImageToRetain | |
Cleanup EBS Snapshots By Snapshots To Retain |
Used to cleanup EBS snapshots of all the EBS volumes attached to the
selected EC2 instance.
This action retains the specified number of latest snapshots for all volumes attached to the EC2 instance
Note:
Playbook will not delete the snapshot of the root device
of an EBS volume that is used by a registered AMI. To delete those
snapshots, you must unregister the AMI first.
|
maxSnapshotsToRetain | |
AWS EC2 AMI | Cleanup AMIs by Retention Period |
Used to cleanup backed-up EC2 AMIs.
This action deregisters the AMI if its creation date is older than the specified retention period (in days). |
retentionTimePeriodInDays |
AWS EC2 EBS Snapshot | Cleanup EBS Snapshots by Retention Period |
Used to cleanup EBS snapshots older than the specified retention
period (in days).
Note:
Playbook will not delete the snapshot of the root
device of an EBS volume that is used by a registered AMI. To delete
those snapshots, you must unregister the AMI first.
|
retentionTimePeriodInDays |
AWS EC2 Auto Scaling Group | Update Configs for EC2 Auto Scaling Groups | Used to update configurations (minSize, maxSize, and desiredCapacity) for EC2 auto-scaling groups. |
|
AWS RDS | Start AWS RDS Instances | Used to start RDS instances. | None |
Stop AWS RDS Instances | Used to stop RDS instances. | None | |
Azure VM | Start Azure VM Instances | Used to start VM instances. | None |
Stop Azure VM Instances | Used to stop VM instances. | None |
Beam provides you with the option to create custom templates according to your needs and use cases.
You can define static input parameters and dimensions according to your needs and use cases to create a custom template.
Let us take an example to understand the use case of Dimensions.
This section contains important points for you to consider when planning to write the python script in the custom action template.
You can use the templates to apply actions on the resources in your public cloud (AWS and Azure) environment. Refer to this section to create a custom template.
To create a custom template, do the following:
The code gets executed in your cloud environment through the AWS lambda function or Azure function.
This section explains how to create a playbook using the system or custom action templates. The template consists of the python script that would take action when deployed in a runtime environment, that is, AWS lambda or Azure function. You can use an action template (system or custom) with multiple playbook instances.
To create a playbook for automating your regular workflows, do the following:
The Playbooks page appears.
After you define the schedule, click Next in the top-right corner of the page.
You can use the drop-down list in the top-right corner for filtering the system or custom templates. If not already created a custom template from the Action Library page, use the Create Action Template option. For more information, see Creating a Custom Action Template .
You can use the Parameters option to add tags in your message body.
The lambda function uses an IAM role to fetch the permissions that are required to execute the python script. You need to enter the ARN information while creating a playbook.
To create an IAM role for executing the python script, do the following:
Click on the IAM role to open the Summary page. This page displays the Role ARN which you require to enter in the Beam console.
To execute the python script added in the action template of the playbook, you need to create an Active Directory (AD) application with write permissions and provide the corresponding tenantId, clientId, and secret-key values in the Beam console.
To create an AD application for playbook, do the following:
The App registrations page appears.
Do the following:
The AD application page appears. Now, you need to add the Azure Service Management API permissions.
The Request API permissions pop-up appears.
You can view the client ID and tenant ID in the Overview page.
You need to add these three values in the Input Parameter fields of the action template while creating a playbook.
The Playbooks dashboard allows you to view the instances of playbook execution and perform various actions.
In the Playbooks dashboard, click on a playbook to view its details, including run- and change-log.
You can click View Details against an execution instance to view detailed information such as input (JSON), output (for example, status code, total resource count, failed resource count), and logs.
Suppose a user changes the definition of a playbook (for example, resource group). The next trigger gets executed according to the new definition, that is, on the new resource group. Each execution instance displays the exact configuration (schedule time and resource group) at the time of the trigger. You can go to the Change Logs page to view the details, that is, the user who made the changes and the modifications.
The Attempts section displays the number of attempts made before the playbook gets executed successfully.
The Change Logs page displays the historical data of the changes made to the selected playbook.
A scope is a logical group of your cloud resources that provides you with a custom view of your cloud resources. You can define scopes using cloud, accounts, and tags. The administrator can assign read-only access to a user. The user gets read-only access for the resources within the scope and not the cloud accounts that constitute the scope. After you create a scope, click View in the top-right corner to open the View Selector and select the scope.
A scope is a logical group of your cloud resources that provides you with a custom view of your cloud resources.
To create a scope, do the following.
To edit a configured scope, do the following.
To delete a configured scope, do the following.
The Invoice page generates invoices for your customers as a reseller or for the business units within your company based on the AWS accounts. This page displays a list of account names with the account ID and bill amount.
For information on configuring invoices, see Configuring Invoices.
You can use the search bar to view the bill for a specific account. If you want to generate reports, you can use generate, share, or download report options. For more information on reports, see Cost Reports.
You can configure settings for invoices generated for all the linked accounts under a payer account.
To configure invoice settings, do the following.
This section provides information about the supported licenses for your Beam accounts, license entitlement for Nutanix on-premises, and subscription entitlement for public clouds.
To access the Licensing page, click Hamburger Icon > Configure > Licensing .
Refer to the following table to know about the various statuses available for your Beam account.
Status | Description |
---|---|
In Trial | A banner gets displayed notifying you about the trial period and suggesting you purchase a license. |
Trial Expired or License Expired | The Expired status appears after your trial period gets over or the applied license gets expired. You would not be able to use the Beam features and need to purchase the license. |
License Applied | Indicates that your license is applied. You can also view the expiry date for the license. |
The following two cases may occur after the license gets applied:
For public clouds (AWS and Azure), one of the following statuses get displayed on the Licensing page:
Status | Description |
---|---|
In Trial | A banner gets displayed to notify you about the trial period and an option to purchase a subscription. To purchase a subscription, click Purchase Online Now , which redirects you to the Nutanix Billing Center. |
Subscription Active | This status indicates that you have an active subscription. The expiration date of the active subscription is also displayed. |
Trial Expired or License Expired | The Expired status appears after your trial period gets over or the active subscription gets expired. You would not be able to use the Beam features and need to purchase or renew the subscription. |
You must have a valid license and subscription to use the Beam features for your Nutanix on-premises and public clouds. If you do not purchase a license or subscription, a banner gets displayed at the top of the Beam page indicating that there are feature violations.
Beam provides API services to allow you to programmatically retrieve data from the Beam's platform and perform different configurations.
You can integrate Beam with third-party applications such as Slack and ServiceNow.
The following sections describe the integrations you can perform in the Beam application.
You can integrate Beam application with Slack to get notifications on your Slack channels. This section describes how to integrate Slack to Beam.
ServiceNow provides IT services management (ITSM), and IT operations management (ITOM) as a software service.
Nutanix Beam & Security Central Plugin (ServiceNow Beam application) helps to integrate your ServiceNow instance with your Beam account. You can create a Change Request for Beam's cost optimization recommendations. Your Beam account also receives updates on any changes made to the change requests created through this integration.
ServiceNow integration in Beam consists of the following steps.
Go to store-servicenow to get the Nutanix Beam & Security Central Plugin .
To install the Beam application in your ServiceNow instance, see ServiceNow Documentation.
The Integrations page allows you to create a ServiceNow integration in Beam. Beam generates Webhook URL and Security Token . You need to enter the webhook URL and security token when creating an Integration Definition in the ServiceNow Beam application .
After the Integration Definition in your ServiceNow instance is complete, you can click Verify and Save to complete the ServiceNow Integration. The Default Change Request Template gets created by default. You can add more templates if you want.
In your ServiceNow instance, you need to create an Integration Definition. When creating the definition, you need to enter the webhook URL and security token (auto-generated by Beam in the Integrations page) in the Endpoint and Token fields.
After you click Verify and Save in the Integrations page to complete creating the ServiceNow Integration in Beam, the Default Change Request Template gets created by default.
You can also add more templates. In the Integrations page, click the templates link against the ServiceNow Integration to go to the ServiceNow Templates page. In the top-left corner, click Add Template .
You can create a ticket for the selected resources from the Optimize tab.
You can use the Configure menu to go to the Integrations page.
To create a ServiceNow integration in Beam, do the following.
You need to create an integration definition for your ServiceNow Beam application in your ServiceNow instance. You need to enter the webhook URL and security token (auto-generated by Beam in the Integrations page) in the Endpoint and Token fields.
To create an Integration Definition in the ServiceNow Beam application, do the following.
You can create a template by adding parameters and fields according to your requirements.
You can also create a template.
To create a template, do the following.
You can create ServiceNow tickets for your resources in the Optimize tab.
To create a ServiceNow ticket, do the following.
The Create ServiceNow Ticket page appears.
The Optional fields area appears after you select a template or a task type.
Product Release Date: 2022-04-27
Last updated: 2022-11-10
Calm allows you to seamlessly select, provision, and manage your business applications across your infrastructure for both the private and public clouds. Calm provides application automation, lifecycle management, monitoring, and remediation to manage your heterogeneous infrastructure, for example, VMs or bare-metal servers.
Calm supports multiple platforms so that you can use the single self-service and automation interface to manage all your infrastructure. Calm provides an interactive and user-friendly graphical user interface (GUI) to manage your infrastructure.
Calm is a multi-cloud application management framework that offers the following key benefits:
Calm simplifies the setup and management of custom enterprise applications by incorporating all important elements, such as the relevant VMs, configurations, and related binaries into an easy-to-use blueprint. These blueprints make the deployment and lifecycle management of common applications repeatable and help infrastructure teams eliminate extensive and complex routine application management.
Calm unifies the management of all your clouds into a single-pane-of-glass, removing the need to switch between portals. Calm automates the provisioning of multi-cloud architectures, scaling both multi-tiered and distributed applications across different cloud environments, including AWS, GCP, Azure, and VMware (on both Nutanix and non-Nutanix platforms).
Calm empowers different groups in the organization to provision and manage their own applications, giving application owners and developers an attractive alternative to public cloud services. Calm provides powerful, application-centric self-service capabilities with role-based access control. All activities and changes are logged for end-to-end traceability, aiding security teams with key compliance initiatives.
The marketplace offers preconfigured application blueprints that infrastructure teams can instantly consume to provision applications. The marketplace also provides the option to publish sharable runbooks. A runbook is a collection of tasks that are run sequentially at different endpoints. Infrastructure teams can define endpoints and use runbooks to automate routine tasks and procedures that pan across multiple applications without the involvement of a blueprint or an application.
With native integration into Beam, Calm also shows the overall utilization and true cost of public cloud consumption to help you make deployment decisions with confidence.
Combined with Nutanix Karbon or your choice of certified Kubernetes, Calm provides the tools required to modernize applications without losing control of policy. Additionally, Calm natively integrates with Jenkins to empower CI/CD pipelines with automatic infrastructure provisioning or upgrades for all applications.
Calm DSL describes a simpler Python3-based Domain Specific Language (DSL) for writing Calm blueprints. DSL offers all the richness of the Calm user interface along with additional benefits of being human readable and version controllable code that can handle even the most complex application scenario. DSL can be also used to operate Calm from a CLI.
As Calm uses Services, Packages, Substrates, Deployments and Application Profiles as building blocks for a blueprint, these entities can be defined as Python classes. You can specify their attributes as class attributes and define actions on those entities (procedural runbooks) as class methods.
Calm DSL also accepts appropriate native data formats such as YAML and JSON that allow reuse into the larger application lifecycle context of a Calm blueprint.
For technical articles, videos, labs and resources on Calm DSL, see Nutanix Calm DSL on Nutanix.dev.
You must configure the following components before you start using Calm.
Before you enable Calm from Prism Central, ensure that you have met the following prerequisites.
You can go to the Software Product Interoperability page to verify the compatible versions of Calm and Prism Central.
Nutanix certifies the following benchmarks for single-node deployment profiles (non-scale-out) and three-node deployment profiles (scale-out). Each benchmark contains scale numbers across different entities of Calm. Because the scaling properties of these entities often depend on each other, changes to one entity might affect the scale of other entities. For example, if your deployment has smaller number of VMs than the benchmarked number, you can have a higher number of blueprints, projects, runbooks, and so on.
Use these guidelines as a good starting point for your Calm installation. You might have to allocate more resources over time as your infrastructure grows.
The following table shows the Calm benchmarks for a single-node Prism Central profile.
Prism Central size | Prism Central configuration | Number of VMs | Number of single-VM blueprints | Number of single-VM applications | Number of projects | Number of runbooks |
---|---|---|---|---|---|---|
Small (1 node) |
6 vCPUs and 30 GB of memory for each node. |
2000 | 400 | 2000 | 50 | 250 |
Large (1 node) |
10 vCPUs and 52 GB of memory for each node. |
7000 | 1400 | 7000 | 250 | 500 |
The following table shows the Calm benchmarks for a three-node Prism Central profile. If high-availability is preferred, it is recommended to use the scale-out deployment.
Prism Central size | Prism Central configuration | Number of VMs | Number of single-VM blueprints | Number of single-VM applications | Number of projects | Number of runbooks |
---|---|---|---|---|---|---|
Small (3 nodes, scale out) |
6 vCPUs and 30 GB of memory for each node. |
3500 | 700 | 3500 | 100 | 500 |
Large (3 nodes, scale out) |
10 vCPUs and 52 GB of memory for each node. |
12500 | 2500 | 12500 | 500 | 1000 |
The following considerations are applicable for both Calm single-node and three-node (scale-out) profiles:
The maximum throughput on a large three-node (scale-out) deployment profile is 400 VMs per hour.
For a list of required Calm ports, see Port Reference. The Port Reference section provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.
Calm is integrated into Prism Central and does not require you to deploy any additional VMs. To start using Calm, you only have to enable Calm from Prism Central.
If the Prism web console is not registered from a Prism Central and the application blueprints have subnet, image, or VMs on the Prism web console, the Calm functionality is impacted.
Prism Central Guide
.
You can check the version of your Calm instance from the Calm user interface.
Calm VM is a standalone VM that you can deploy on AHV and ESXi hypervisors and leverage calm functionality without the Nutanix infrastructure.
You can deploy Calm using the image at the Nutanix Support Portal - Downloads page and manage your applications across a variety of cloud platforms. Calm VM deployment eliminates the need of the complete Nutanix infrastructure to use Calm features.
For information on Calm VM deployment on AHV, see Deploying Calm VM on AHV.
This section describes the steps to deploy a Calm VM on AHV.
You must create a VM with a specific Open Virtualization Format (OVF) image to access the Calm UI.
For more information, see Deploying OVA Template on VMware vSphere section in the VMware documentation .
This section describes the steps to deploy a Calm VM by using the vSphere CLI (govc).
$ govc import.ova -name 5.17.1-prismcentral -3.0.0.1 http://endor.dyn.nutanix.com/GoldImages/calm-vm
If you have downloaded the OVF file on your system, replace http://endor.dyn.nutanix.com/GoldImages/calm-vm with the location of the OVF file.
Running the command starts the uploading process. Once the uploading is complete, power on the Calm VM from the vSphere web client.
Use the following procedure to set up Scale-out version of Calm VM.
cluster stop
cluster destroy
#cluster --cluster_function_list="multicluster" -s <ip1>,<ip2>,<ip3> create
For example:
cluster --cluster_function_list="multicluster" -s 10.46.141.71,10.46.138.20,10.46.138.26 create
cluster --cluster_function_list="multicluster" --cluster_name "<Cluster Name>" -s <ip1>,<ip2>,<ip3> --cluster_external_ip=<vip> create
For example:
cluster --cluster_function_list="multicluster" --cluster_name "Demo" -s 10.46.141.71,10.46.138.20,10.46.138.26 --cluster_external_ip=10.46.141.70 --dns_servers 10.40.64.15,10.40.64.16 create
cd /home/nutanix/bin
python enable_calm.py
cluster status
docker cp /home/nutanix/bin/set_policy_calmvm.pyc nucalm:/home
docker cp /home/nutanix/bin/set_policy.sh nucalm:/home
docker exec nucalm /bin/sh -c '/home/set_policy.sh <POLICY_VM_IP> <POLICy_VM_UUID>'
Use the following steps to enable policy engine for Calm VM.
docker cp /home/nutanix/bin/set_policy_calmvm.pyc nucalm:/home
docker cp /home/nutanix/bin/set_policy.sh nucalm:/home
docker exec nucalm /bin/sh -c '/home/set_policy.sh <POLICY_VM_IP> <POLICy_VM_UUID>'
policy-engine.tar.gz
file from the Downloads page on to the policy
engine VM.
policy-engine.tar.gz
file.
upgrade.sh
.
docker ps
command to check the status of
policy containers, and wait for the containers to get healthy.
By Default, Calm VM uses DHCP IP address. You can use the following procedure to launch Calm VM using a static IP address.
The following table lists the different tabs in Calm, their icons, and their usage:
Icons | Tab | Usage |
---|---|---|
Marketplace tab | To instantly consume application blueprints to provision applications. See Marketplace Overview. | |
Blueprint tab | To create, configure, publish, and launch single-VM or multi-VM blueprints. See Calm Blueprints Overview. | |
Application tab | To view and manage applications that are launched from blueprints. See Applications Overview. | |
Library tab | To create and use variable types and tasks. You use variables and tasks while configuring a blueprint. See Library Overview. | |
Runbooks tab | To automate routine tasks and procedures that pan across multiple applications without involving any blueprints or applications. See Runbooks Overview. | |
Endpoints tab | To create and manage target resources where the tasks defined in a runbook or in a blueprint can run. See Endpoints Overview. | |
Settings tab |
To enable or disable general settings. See General Settings in Calm. To configure and manage provider account. See Provider Account Settings in Calm. To configure and manage credential provider. See Configuring a Credential Provider. |
|
Policies tab | To schedule application actions and runbook executions. See Scheduler Overview. | |
Marketplace Manager tab | To manage approval and publishing of application blueprints. See Marketplace Manager Overview. | |
Projects tab | To create users or groups and assign permissions to use Calm. Projects tab also allows you to configure environment for your providers. See Projects Overview. |
You can use the following procedure to explore Calm user interface and get an overview of the Calm components.
You can use the following procedure to access the Calm REST API explorer console from the Calm user interface.
Calm manages the role-based access control using projects. Projects are logical groupings of user roles, accounts, VM templates, and credentials that are used to manage and launch blueprints and applications within your organization. For more information, see Projects Overview.
Users or groups are allowed to view, launch, or manage applications based on the roles that are assigned within the projects. Calm has the following roles for users or groups:
Project admins have full control of the project. They can perform reporting and user management, create blueprints, launch blueprints, and run actions on the applications.
Developers can create blueprints, launch blueprints, and run actions on the applications. They are, however, not allowed to perform reporting and user management.
Consumers can launch new blueprints from the marketplace and run actions on the applications. They are, however, not allowed to create their own blueprints.
Operators have minimum access and are allowed only to run actions against existing applications. They are not allowed to launch new blueprints or edit any existing blueprints.
The following table details the roles and responsibilities in Calm:
Prism Admin | Project Admin | Developer | Consumer | Operator | ||
---|---|---|---|---|---|---|
Marketplace | Enable and Disable | X | ||||
Manage | X | |||||
App publishing request | X | X | X | |||
Send App publishing request to the Administrator | X | X | ||||
Clone and edit App blueprint | X | X | X | |||
Blueprint | Create, update, delete, and duplicate | X | X | X | ||
Read-only | X | X | X | X | ||
Launch | X | X | X | X | ||
Applications | Complete App summary | X | X | X | X | X |
Run functions | X | X | X | X | X | |
App debug mode | X | X | X | X | X | |
Function edit | X | X | X | |||
Create App (brownfield import) | X | X | X | |||
Delete App | X | X | X | X | ||
Settings | CRUD | X | ||||
Task Library | View | X | X | X | X | X |
Create and Update | X | X | X | |||
Delete | X | |||||
Sharing with Projects | X | |||||
Projects | Add project | X | ||||
Update project | X | X | ||||
Add VMs to projects | X | |||||
Custom roles | ||||||
Users | Add users to the system and change roles | X | ||||
Add and remove users to or from a project | X | X | ||||
Change user roles in a project | X | X | ||||
Create Administrator | X | |||||
Create Project Administrator | X | X | ||||
Runbooks | Create and Update | X | X | X | ||
View | X | X | X | X | X | |
Delete | X | X | X | |||
Execute | X | X | X | X | X | |
Endpoints | Create and Update | X | X | X | ||
View | X | X | X | X | X | |
Delete | X | X | X | |||
Scheduler | Create, delete, and clone jobs | X | X | X | X | |
Read job and view execution status | X | X | X | X | X | |
Update job name, schedule, executable, and application action | X | X | X | X | ||
Edit operations on a blueprint launch | X | X | X | X | ||
Edit operations on runbook executions | X | X | X | X | ||
Edit operations on application actions | X | X | X | X | ||
Edit operations on Marketplace launch | X | X | X | X |
When you enable Calm, you get an out-of-the-box blueprint, a default project, and a preconfigured application profile with your Nutanix account. You can use the blueprint, project, and application profile to instantaneously launch your first application.
To quickly provision a Linux or Windows Infrastructure as a Service (IaaS) for your end users, you can configure and launch a single-VM blueprint in Calm.
Provisioning a Linux or Windows IaaS involves configuring the single-VM blueprint VM specifications and launching the blueprint.
The Settings tab allows you to control the overall administrative functionalities of the Calm instances. You must be a Prism Central administrator to access the Settings tab.
You can use the Settings > General tab to control the following functionalities:
Enable Nutanix Marketplace Applications to view and launch ready-to-use application blueprints. These application blueprints appear on the Marketplace Manager tab for publishing. You can publish the blueprints to the marketplace after associating them with a project.
Showback allows you to estimate the overall service cost of the applications running on your on-prem cloud. You can also view the graphical representation of the cost of the applications.
To enable and configure showback, see Enabling Showback.
Enable Showback to configure the resource cost of your applications and monitor them while you configure a blueprint or manage an application. Showback is applicable only for the Nutanix platform and the VMware through vCenter platform.
Disable showback to stop monitoring the resources cost of your application blueprints.
The policy engine is a single-VM setup for the single or scale-out Prism Central. When you enable the policy engine for your Calm instance, a new VM is created and deployed for the policy engine. All you need is an available IP address that belongs to the same network as that of your Prism Central VM for the policy engine VM.
As an administrator, you can enable the policy engine to:
The policy engine is a single-VM setup for the single or scale-out Prism Central.
When you enable the policy engine for your Calm instance, a new VM is created and deployed for the policy engine. All you need is an available IP address that belongs to the same network as that of your Prism Central VM for the policy engine VM.
You can enable the policy engine at a dark site.
<Calm version number>-CalmPolicyVM.qcow2
<Calm version number>-CalmPolicyVM.ova
After you enable the policy engine, you can set up the default quota values for vCPU, memory, and disk. This step is optional.
Setting up quota defaults saves you from repeatedly entering vCPU, memory, and disk quota values for each cluster. After you set the quota defaults, the default quota values populate automatically when you allocate quotas to your provider accounts.
After you enable policy engine, review the policy engine VM configuration, network configuration, and cluster information on the Policies tab of your Setttings page. For example, you can view the power status, protection status, or cluster name of the policy engine VM.
Disable the policy enforcement for your Calm instance if the policy engine VM encounters any connectivity issues or the policy engine VM is not responding.
You can enable approvals for your Calm instance from the settings page.
When you enable approvals, events such as runbook executions, application launch, and application day-2 operations that match the conditions defined in the approval policy go through the approval process.
You can disable approvals for your Calm instance from the Settings page.
When you enable approvals, events such as runbook executions, application launch, and application day-2 operations do not go through the approval process even when they match the conditions defined in the approval policy.
You can view the configuration details and email template on the Policies tab of the Settings page.
The content of the email templates for approver or requester can be modified only using the APIs. You can use the following supported email template variables.
You can use these variables with the {{}} syntax. For example, {{.PCIP}} .
You can view the protection and recovery status of a Calm application when:
You can view the protection and recovery status of the application on the Application Overview page. For more information, see Overview Tab.
To enable the option to show application protection status, see Enabling Application Protection Status View.
Enable the Show App Protection Status toggle button to view the protection and recovery status of a Calm application that is deployed on a Nutanix platform. You must be a Prism Central administrator to enable or disable the toggle button.
Calm automatically archives run logs of the deleted applications and custom actions that are older than three months. You can download the archives within 7 days from the time of archive creation.
For a running application, data is not archived for the system-generated Create actions.
You can get the following information for Start, Restart, Stop, Delete, and Soft Delete system-generated actions and user-created actions.
Calm archives all action details of a deleted application.
Only an administrator can view and download the application log archive. For more information, see Downloading Application Log Archive.
Calm periodically archives application logs to clear resources. You can download the archived application logs from the Settings tab.
Provider accounts are cloud services, baremetals, or existing machines that you can use to deploy, monitor, and govern your applications. You can configure multiple accounts of the same provider.
Use the Settings > Accounts tab to configure provider accounts. You configure provider accounts (by using the provider credentials) to enable Calm to manage applications by using your virtualization resources.
Calm supports the following provider accounts:
Provider Accounts | Description |
---|---|
Nutanix |
All the AHV clusters that are registered to the Prism Central instance are
automatically added as providers.
Note:
If you want to add a remote Prism Central (PC)
instance as a provider in a multi-PC setup, you must add the remote PC instance as
an account in Calm. For more information, see Configuring a Remote Prism Central Account.
|
VMware | To configure a VMware account, see Configuring a VMware Account. |
AWS | To configure an AWS account, see Configuring an AWS Account. |
Azure | To configure an Azure account, see Configuring an Azure Account. |
GCP | To configure a GCP account, see Configuring a GCP Account. |
Kubernetes | To configure a Kubernetes account, see Configuring a Kubernetes Account. |
Xi Cloud | To configure Xi Cloud as a provider, see Configuring a Xi Cloud Account. |
All AHV clusters that are registered to your Prism Central instance are automatically added as provider accounts to Calm.
You can also configure any remote Prism Central (PC) as an account in Calm to deploy applications on the remote PC. For more information, see Support for Multi-PC Setup.
In a multiple Prism Centrals (multi-PC) setup, a central Calm instance (called global Calm instance) runs only on one of the PCs (called host or parent PC) and all the other PCs are connected to the central Calm instance as the remote PCs.
The global Calm instance can now manage the applications deployed on the geographically distributed Prism Centrals (also called remote PCs) without the need of separate Calm instances for every PC. A remote PC is only used to provision the tasks for the deployed applications.
In a multi-PC environment, every remote PC is added as an account to the host PC and you can add the account to your project before creating and launching a blueprint.
For more information about adding a remote PC as an account, see Configuring a Remote Prism Central Account.
For more information about adding the account to a project, see Adding Accounts to a Project.
To deploy an application on a remote PC, you must configure the remote PC as an account in Calm.
You require the role of a Prism Admin to configure a remote PC account.
For more information about multiple Prism Central setup support, see Support for Multi-PC Setup.
Calm allows you to create VMs within the overlay subnets that have association to a Virtual Private Cloud (VPC) when you use your Nutanix or Remote PC account. A VPC is an independent and isolated IP address space that functions as a logically isolated virtual network. VMs that you create with VPC Subnets cannot communicate with a VM that is outside the VPC. Even the VMs outside the VPC cannot reach the VMs within the VPC.
In the absence of this direct communication, you can set up tunnels to communicate with the VMs within the VPC for orchestration activities and to run script-based tasks. You can set up the tunnel VM in any one of the subnets within the VPC.
To set up tunnels for your VPCs, you must:
For more information on creating VPC tunnels, see Creating VPC Tunnels.
In your Nutanix account, you set up tunnels to get access to the VMs that are created within the VPCs.
The tunnels that you create enables you to perform check log-in and run script-based execution tasks on the VMs that use the overlay subnets of the VPC.
If tunnel is not configured for the selected VPC, you can only perform basic operations (such as VM provisioning) on the VPC.
Configure your VMware account in Calm to manage applications on the VMware platform.
To refer to the video about setting up VMware as provider, click here.
The following table provides the complete list of permissions that you need to enable in vCenter before you configure your VMware account in Calm.
Entity | Permission |
---|---|
Datastore |
|
Network |
|
Resource |
|
vSphere Tagging |
|
Virtual Machine > Change Configuration |
|
Virtual Machine > Interaction |
|
Virtual Machine > Edit Inventory |
|
Virtual Machine > Provisioning |
|
You must define the custom role at the vCenter level instead of the Datacenter level. For information on how to enable permissions in vCenter, see the vSphere Users and Permissions section in the VMware documents.
Calm supports the following versions of vSphere.
Configure your AWS account in Calm to manage applications on the AWS platform.
nutanix@cvm$ ncli cluster get-name-servers
GovCloud (US) is an isolated AWS region to help the United States government agencies and federal IT contractors host sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements.
The AWS GovCloud (US) region supports the management of regulated data by restricting physical and logical administrative access to U.S. citizens only.
To manage applications on the AWS platform using Calm, you must have a privileged AWS user account with an appropriate policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListSSHPublicKeys",
"iam:GetSSHPublicKey",
"iam:GetAccountPasswordPolicy",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"ec2:CreateImage",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:DisassociateIamInstanceProfile",
"ec2:RegisterImage",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot",
"ec2:GetConsoleOutput",
"ec2:Describe*",
"ec2:DeleteTags",
"ec2:TerminateInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["iam:ListUserPolicies"],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Effect": "Allow",
"Action": ["iam:PassRole"],
"Resource": ["arn:aws:iam::*:role/*"]
}
]
}
The following table displays the list of user policy privileges and the corresponding JSON attributes that you can add in the JSON syntax to assign different privileges to a user.
To create | JSON attributes |
---|---|
EC2 Instances |
ec2:RunInstances
|
Volumes |
ec2:CreateVolume
|
Snapshot |
ec2:CreateSnapshot
|
Image(AMI) |
ec2:CreateImage
|
To list or get | JSON attributes |
SSH Public Keys for all users |
iam:ListSSHPublicKeys
|
List IAM Roles |
iam:ListRoles
|
EC2 attributes |
ec2:Describe*
|
EC2 instance console output |
ec2:GetConsoleOutput
|
IAM user policies for the user |
iam:ListUserPolicies
|
To update | JSON attributes |
Image(AMI) attributes |
ec2:ModifyImageAttribute
|
To delete | JSON attributes |
EC2 Instances |
ec2:TerminateInstances
|
Instance Tags |
ec2:DeleteTags
|
Snapshot |
ec2:DeleteSnapshot
|
Images(deregister images) |
ec2:DeregisterImage
|
Others | JSON attributes |
Start/Stop/Restart Instances |
ec2:RunInstances, ec2:StartInstances, ec2:StopInstances,
ec2:RebootInstances
|
Pass and IAM role to service |
iam:PassRole
|
Configure your GCP account in Calm to manage applications on the GCP platform.
Configure your Azure account in Calm to manage applications on the Azure platform.
You must have a privileged Azure user account to manage applications on an Azure platform using Calm.
To refer to a video about assigning minimum privilege to configure Azure account to work with Calm, click here.
{
"Name": "Calm Admin",
"IsCustom": true,
"Description": "For calm to manage VMs on azure provisioned from calm applications",
"Actions": [
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/checknameavailability/read",
"Microsoft.Storage/skus/read",
"Microsoft.Network/virtualNetworks/subnets/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/networkSecurityGroups/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/publicIPAddresses/*",
"Microsoft.Network/publicIPPrefixes/*",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/write",
"Microsoft.Compute/disks/*",
"Microsoft.Compute/images/read",
"Microsoft.Compute/images/write",
"Microsoft.Compute/locations/publishers/read",
"Microsoft.Compute/locations/publishers/artifacttypes/offers/read",
"Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/read",
"Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/versions/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/snapshots/*",
"Microsoft.Compute/locations/vmSizes/read",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.GuestConfiguration/*/read",
"Microsoft.GuestConfiguration/*/write",
"Microsoft.GuestConfiguration/*/action",
"Microsoft.Compute/galleries/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/vaults/deploy/action"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/<subscription id>"
]
}
az role definition create --role-definition <file>.json
az ad sp create-for-rbac -n "CalmAccount" --role "Calm Admin"
Configure your Kubernetes account in Calm to manage applications on the Kubernetes platform.
For Calm to manage workloads on Amazon EKS, Azure Kubernetes Service (AKS), or Anthos, enable the generic authentication mechanism and create a service account on the Kubernetes cluster. You can then use the service account to communicate with the cluster.
kubectl create serviceaccount ntnx-calm
kubectl create clusterrolebinding ntnx-calm-admin --clusterrole
cluster-admin --serviceaccount default:ntnx-calm
SECRET_NAME=$(kubectl get serviceaccount ntnx-calm -o
jsonpath='{$.secrets[0].name}')
kubectl get secret ${SECRET_NAME} -o jsonpath='{$.data.token}' |
base64 –decode
kubectl config view --minify --raw -o
jsonpath='{.clusters[*].cluster.certificate-authority-data}' | base64
–decode
To manage workloads on Nutanix Xi Cloud, add your Xi Cloud as an account in Calm if your Prism Central is paired with a Xi cloud. Calm automatically discovers the availability zones of the Xi Cloud and allows you to add the Xi Cloud account as a provider account.
Calm automates the provisioning and management of infrastructure resources for both private and public clouds. When any configuration changes are made directly to the Calm-managed resources, Calm needs to sync up the changes to accurately calculate and display quotas and Showback information.
Platform sync enables Calm to synchronize any changes in the clusters that are managed by Calm on connected providers. These changes can be any IP Address changes, disk resizing, unavailability of VMs, and so on.
For example, when a VM is powered off externally or deleted, platform sync updates the VM status in Calm. Calm then adds the infrastructure resources consumed by the VM (memory and vCPU) to the total available quota.
You can specify an interval after which the platform sync must run for a cluster. For more information, see Configuring a Remote Prism Central Account and Configuring a VMware Account.
Platform sync enables Calm to synchronize any changes in the clusters that are managed by Calm on connected providers. These changes can be any IP Address changes, disk resizing, unavailability of VMs, and so on. You can sync up the configuration changes instantly for your accounts.
Allocate resource quotas to your accounts to have a better control over the infrastructure resources (computer, memory, and storage) that are provisioned through Calm. Based on the resource quota you allocate, the policy engine enforces quota checks when applications are launched, scaled-out, or updated.
Use the utilization report to analyze how the projects to which the cluster is assigned consumed the allocated resources of the cluster. For example, if a Nutanix cluster is assigned to three different projects, you can analyze how the assigned projects consumed the allocated resources of that cluster.
Credentials help in abstracting identity settings while connecting to an external system. Credentials are used to authenticate a user to access various services in Calm. Calm supports key-based and password-based authentication method.
Credentials are used in multiple Calm entities and workflows.
Environment allows a Project Admin to add multiple credentials and configure VM default specifications for each of the selected providers as a part of project and environment configurations.
Project admins must configure an environment before launching an application from the marketplace. The recommendation is to have at least one credential of each secret type (SSH or password) to be defined under each environment in the project. These values get patched wherever the credential values are empty when you launch your marketplace items.
Developers can add credentials to a blueprint. These credentials are referenced after the VM is provisioned. Credentials defined within an environment of a project have no significance or impact on the credentials you define within the blueprint.
Calm supports export and import of blueprints across different Prism Central or Calm instances along with the secrets. The developer uses a passphrase to encrypt credentials and then decrypts credentials in a different instance using the same passphrase to create a blueprint copy.
All global marketplace items have empty credentials values. However, locally published blueprints can have the credential values if the developer published the blueprint with the Publish with Secret s option enabled.
When you launch a marketplace item, credentials are patched wherever the value is empty. In case there are multiple credentials of a particular type configured within the environment of a project, you get the option to select a credential for the launch.
Owners can change the credential value of an application multiple times until the application is deleted. The latest value of a credential that is available at that point in the application instance is used when an action is triggered.
Any change in the credential value at the application level does not impact the credential value at the corresponding blueprint level.
Calm allows managing the following types of credentials:
Static credentials in Calm are modelled to store secrets (password or SSH private key) in the credential objects that are contained in the blueprints that the applications copy.
Calm supports external credential store integration for dynamic credentials. A credential store holds username and password or key certificate combinations and enables applications to retrieve and use credentials for authentication to external services whenever required. As a developer, you can:
For more information about configuring a credential provider, see Configuring a Credential Provider.
When a blueprint uses a dynamic credential, the secret (password or SSH private key) is not stored in the credential objects within the blueprint. The secret values are fetched on demand by executing the runbook within the credential provider that you configure in Calm and associate with the blueprint.
Calm supports external credential store integration for dynamic credentials.
As a developer, you can define variable, runbook, and attributes in a dynamic credential provider definition.
In Calm, a project is a set of Active Directory users with a common set of requirements or a common structure and function, such as a team of engineers collaborating on an engineering project.
Environment configuration involves configuring VMs and adding credentials for the accounts that you added to your project. You can configure multiple environments in a project and set one of the environments as the default environment for the project.
The project construct defines various environment-specific settings. For example:
Projects provide logical groupings of user roles to access and use Calm within your organization. To assign different roles to users or groups in a project, you use configured Active Directory in Prism Central.
A project in Calm offers the following user roles. Each role has predefined functions that a user with role assigned can perform in a project. For more information, see Role-Based Access Control in Calm.
As part of the project configuration, you also configure environments. Environment configuration involves configuring VMs and adding credentials for the accounts that you added to your project. You use a configured environment either during your blueprint creation or during an application launch. When you select a configured environment while launching an application from the marketplace, the values for the application launch are picked up from the selected environment.
You create a project to map your provider accounts and define user roles to access and use Calm.
Calm uses projects to assign roles to particular users and groups. Based on these roles, users are allowed to view, launch, or manage applications.
You can add multiple accounts of the same provider or different providers you configured in Calm to your projects. Calm supports accounts of the following providers:
When you add Nutanix accounts to your project, you can allow clusters and their corresponding VLAN or overlay subnets.
A VLAN subnet is bound to a Prism Element cluster. When you use the VLAN subnet to a provision a VM, the VM get automatically placed on that Prism Element.
However, an overlay subnet can span from a few clusters to all the clusters of your Prism Central. Therefore, when you configure your Nutanix account in your project, Calm enables you to allow clusters before allowing the subnets.
Allowing clusters before their subnets enables you to have projects where you can allow VPCs and their corresponding subnets without allowing any VLAN subnets.
For Nutanix and VMware accounts within your project, you can also define resource quota limits for quota checks. For more information, see Quota Policy Overview.
You can add multiple provider accounts or credential provider accounts that you configured in Calm to your project. You can also define resource quota limits for quota checks for Nutanix and VMware accounts within the project.
Calm allows you to modify the users, accounts, and quota details of a saved project. You can also delete an account from a project.
You can delete a project that is not associated with any application or blueprint. If the project is already used to create any applications or blueprints, you cannot delete the project. In such cases, a dialog box appears displaying the association of the project with different applications or blueprints.
Environment is a subset of a project. When you create a project, you can add multiple accounts of the same provider or accounts of different providers that you configured in Calm to your project. You can then configure one or more environments in your project.
When you create an application blueprint, you select a project and use the environments you configured for that project for application deployments. You can also optionally select one environment for each application profile in the blueprint.
You configure environments as a part of your project creation so that you can use the configured environments when you create blueprints or launch marketplace application blueprints. You can configure multiple environments in your project.
Environment configuration involves configuring VMs and adding credentials for the accounts that you added to your project.
vm-@@{calm_time}@@
. For more information on Calm macros,
see Macros Overview.
Environment configuration involves configuring VMs and adding credentials for the accounts that you added to your project.
Environment configuration involves configuring VMs and adding credentials for the accounts that you added to your project.
Templates allow you to create multiple virtual machines with the same characteristics, such as resources allocated to CPU and memory or the type of virtual hardware. Templates save time and avoid errors when configuring settings and other parameters to create VMs. The VM template retrieves the list options from the configured vCenter.
For more information, refer to VMware KB articles.
A content library stores and manages content (VMs, vApp templates, and other types of files) in the form of library items. A single library item can consist of one file or multiple files. For more information about the vCenter content library, see the VMware Documentation .
Environment configuration involves configuring VMs and adding credentials for the accounts that you added to your project.
Environment configuration involves configuring VMs and adding credentials for the accounts that you added to your project.
The Resource Group list displays the resource groups that are associated with the subscriptions you selected in your Azure account. In case you have not selected any subscriptions, Calm considers all the subscriptions that are available in the Azure service principal to display the resource groups. Each resource group in the list also displays the associated subscription.
For Windows VMs, specify the certificate store on the virtual machine to which the certificate is added. The specified certificate store is implicitly created in the LocalMachine account.
For Linux VMs, the certificate file is placed under the /var/lib/waagent directory with the file name <UppercaseThumbprint>.crt for the X509 certificate file and <UppercaseThumbpring>.prv for private key. Both of these files are .pem formatted.
Perform the following steps to configure connection in your environment.
You can either select the public IP address or private IP address of a NIC.
Delay timer defines the time period when the check login script is run after the VM starts. It allows you to configure the delay time to allow guest customization script, IP, and all other services to come up before running the check login script.
Credentials help in abstracting identity settings while connecting to an external system. You can configure multiple credentials of the same type (either SSH key or password) and define under the Environment tab. You can use the configured credentials during launch of an application blueprint.
Credentials are used to authenticate a user to access various services in Calm. Calm supports key-based and password-based authentication method.
Quota policies enforce a usage limit on an infrastructure resource for projects and restrict project members to use more than their specified quota limits. Quotas ensure that a single project or a few projects do not overrun the infrastructures. If the cluster runs out of a resource, project members cannot use the resource even if the project has not reached its specified limit.
Quota policies also enforce a usage limit on an infrastructure resource at the provider account level to ensure that the resource consumption is within the specified quota limits across all projects of that provider account.
Quotas are allocated at the account and project levels. Enforcement of resource quota depends on the following factors:
You must enable the policy engine to enforce resource quota policies. For more information, see Enabling policy Engine.
You can define resource quota limits at the project level for the projects that you create in Calm or in Prism Central. The Policies tab of the Project page in Calm provides a unified view of all the resource quota limits that you defined for the project and the accounts within the project. You can manage all your project-specific quota definition on the Policies tab. For more information on how to manage project-level quota limits, see Managing Quota Limits for Projects.
You must consider these conditions while allocating quotas at the project level.
Calm performs quota checks for every resource provisioning request. Quota check happens for multi-VM applications, single-VM applications, and the VMs that are created from Prism Central within a project.
The Prism Admin and Project Admin can view project-wise usage of infrastructure resources for each cluster. For more information, see Viewing Quota Utilization Report and Managing Quota Limits for Projects.
The Policies tab of a project provides you the options to define and manage quota limits for the project and its associated Nutanix and VMware accounts.
You can do the following as part of the quota limit management at the project level:
A snapshot policy allows you to define rules to create and manage snapshots of application VMs that run on a Nutanix platform. The policy determines the overall intent of the snapshot creation process and the snapshot expiration. You can create rules in your snapshot policy to manage your snapshots on a local cluster, on a remote cluster, or both. Perform the following steps to create your snapshot policy.
For information on the snapshot configuration and creation, see Snapshot and Restore for Nutanix Platform.
A blueprint is the framework for every application that you model by using Calm. Blueprints are templates that describe all the steps that are required to provision, configure, and execute tasks on the services and applications that you create.
You create a blueprint to represent the architecture of your application and then run the blueprint repeatedly to create an instance, provision, and launch applications.
A blueprint also defines the lifecycle of an application and its underlying infrastructure; starting from the creation of the application to the actions that are carried out on a blueprint until the termination of the application.
You can use blueprints to model the applications of various complexities; from simply provisioning a single virtual machine to provisioning and managing a multi-node, multi-tier application.
Calm uses services, application profiles, packages, substrates, and actions as building blocks for a blueprint to define applications.
An application is made up of multiple components (or services) working together. The architecture of an application is composed of compute, storage, network, and their connections and dependencies. Services are logical entities that are exposed by an IP address. End users and services communicate with each other over a network through their exposed IP addresses and ports. For more information, see Services Overview.
Any useful blueprint requires infrastructure for instantiation. A blueprint can specify the exact infrastructure or can be completely left to the blueprint user to specify at the time of instantiation.
An application profile provides different combinations of the service, package, and VM (infrastructure choices) while configuring a blueprint. The application profile allows you to use the same set of services and packages on the different platforms. You select an application profile while launching your blueprint.
Application profiles determine where an application should run, for example, on a Nutanix provider account or on an Azure account. Application profiles also control the T-shirt sizing of an application. T-shirt sizing means that the value of a variable might change based on the selection of a small or a large instance of an application.
If Showback feature is enabled, the application profile also displays service cost of the resources used for an application.
Package Install and Uninstall are operations that are run when you first launch a blueprint or when you finally delete the entire application. In other words, these operations are run during the Create or Delete profile actions. Package Install and Uninstall are unique to each application profile, which means that the tasks or the task contents can vary depending upon the underlying cloud or the size.
Package install is commonly used for installing software
packages. For example, installing PostgreSQL with
sudo yum -y install
postgresql-server postgresql-contrib
.
Substrates are a combination of the underlying cloud and the virtual machine instance. When you select the desired cloud, Calm displays all of the fields required for creating a virtual machine instance on that particular cloud. The combination of all these fields constitutes a substrate. Substrates are the infrastructure abstraction layer for Calm. Calm can quickly change where or how applications are deployed by simply changing the substrate.
Actions are runbooks to accomplish a particular task on your application. You can use actions to automate any process such as backup, upgrade, new user creation, or clean-up, and enforce an order of operations across services. For more information, see Actions Overview.
Calm also has a few other components that you can use while configuring your blueprints.
Calm macros are part of a templating language for Calm scripts. These are evaluated by Calm's execution engine before the script is run. Macros help in making scripts generic and creating reusable workflows. For more information, see Macros Overview.
Variables are either user defined or added to the entities by Calm. Variables are always present within the context of a Calm entity and are accessible directly in scripts running on that entity or any of its child entities. For more information, see Variables Overview.
Categories (or tags) are metadata labels that you assign to your cloud resources to categorize them for cost allocation, reporting, compliance, security, and so on. Each category is a combination of key and values. For more information, see Categories Overview.
Dependencies are used to define the dependence of one service in your application on another service or multiple other services for properties such as IP addresses and DNS names. For example, if service 2 is dependent on service 1, then service 1 starts first and stops after service 2.
For information about how to define dependencies between services, see Setting up the Service Dependencies.
You can configure the following blueprint types in Calm.
A single-VM blueprint is a framework that you can use to create and provision an instance and launch applications that require only one virtual machine. Single-VM blueprints enable you to quickly provide Infrastructure-as-a-Service (IaaS) to your end users. For more information, see Creating a Single-VM Blueprint.
A multi-VM blueprint is a framework that you can use to create an instance, provision, and launch applications requiring multiple VMs. You can define the underlying infrastructure of the VMs, application details, and actions that are carried out on a blueprint until the termination of the application. For more information, see Creating a Multi-VM Blueprint.
The blueprint editor provides a graphical representation of various components that allow you to visualize and configure the components and their dependencies in your environment.
Use the Blueprints tab to perform actions, such as:
Services are the virtual machine instances, existing machines or bare-metal machines, that you can provision and configure by using Calm. You can either provision a single service instance or multiple services based on the topology of your application. A service can only expose an IP address and ports on which the request is received. After a service is configured, you can clone or edit the service as required.
A service includes the following entities:
A VM defines the configuration of the virtual machine instance, the platform on which the VM will be installed, and the connection information of the machine. For example, as shown in the following figure, you need to define the name, cloud, operating system, IP address, and the connection information for an existing machine.
A package enables you to install and uninstall software on an existing machine or bare metal machine by using a script. You need to provide the credentials of the VM on which you need to run the script. A sample script is shown in the following figure. Package also defines the port number and the protocol that is used to access the service.
A service enables you to create the variables that are used to define the service-level tasks and service-level actions. As part of the service, you can also define the number of replicas that you want to create of a service. The maximum number of replicas allowed is 300.
For information about how to configure a service, see Configuring Nutanix and Existing Machine VM, Package, and Service.
Calm macros are part of a templating language for Calm scripts. These are evaluated by Calm's execution engine before the script is run.
Macros enable you to access the value of variables and properties that are set on entities. The variables can be user defined or system generated. For more information, see Variables Overview.
Macros help in making scripts generic and creating reusable workflows. You can use macros in tasks within the blueprints or in the configuration of Calm entities, such as the VM name.
Macros require a set of delimiters for evaluation. These are @@{ and }@@ . Everything within these delimiters is parsed and evaluated. For example,
Macros support the following entities.
Macros support the following data types.
Data Type | Usage |
---|---|
String |
@@{"some string"}@@ or @@{'some string'}@@
Note:
Newline or other such special
characters are not supported. You can use \ to escape quotes.
|
Numbers |
Supports integer and float. For example, @@{ 10 + 20.63 }@@
Note:
All variables
are treated as strings.
|
Macros support the following operations.
Calm allows you to access macros of an array service using a special macro which starts with calm_array . You can configure a VM with replicas and access the common macros of all the replicas. For example, you can:
@@{calm_array_name}@@
@@{calm_array_address}@@
@@{calm_array_id}@@
The following table lists the built-in macros that you can use to retrieve and display the entities.
Macro | Usage |
---|---|
@@{calm_array_index}@@ | Index of the entity within an array |
@@{calm_blueprint_name}@@ | Name of the blueprint from which the application was created |
@@{calm_blueprint_uuid}@@ | Universally unique identifier (UUID) of the blueprint from which the application was created |
@@{calm_application_name}@@ | Name of the application |
@@{calm_application_uuid}@@ | UUID of the application |
@@{calm_uuid}@@ | UUID of the entity within the application on which the current task is running |
@@{calm_random}@@ | A random number is generated each time this is used. This will be evaluated each time and should not be used in fields such as VM name. |
@@{calm_unique}@@ | A random number that is unique to this replica. This will be evaluated to the same value across runs. |
@@{calm_jwt}@@ | JWT for the currently logged in user for API authentication. |
@@{calm_now}@@
@@{calm_today}@@ |
The current time stamp |
@@{calm_time(“<format>”)}@@ | The current time in the specified format |
@@{calm_year(“YYYY”)}@@
@@{calm_year(“YY”)}@@ |
The current year in YYYY or YY format |
@@{calm_month(“short”)}@@
@@{calm_month(“long”)}@@ |
Name of the current month in long or short format |
@@{calm_day(“month”)}@@
@@{calm_day(“year”)}@@ |
Numeric day of the month or year |
@@{calm_weeknumber}@@
@@{calm_weeknumber(“iso”)}@@ |
ISO Numeric week of the year |
@@{calm_weekday(“number”)}@@
@@{calm_weekday(“name_short”)}@@ @@{calm_weekday(“name_long”)}@@ |
Day of the week in numeric or short name or long name |
@@{calm_hour(“12”)}@@
@@{calm_hour(“24”)}@@ @@{calm_hour(“am_pm”)}@@ |
Numeric hour of the day in 12:00-hour or 24:00-hour format along with AM or PM |
@@{calm_minute}@@ | Numeric minute |
@@{calm_second}@@ | Numeric second |
@@{calm_is_weekday}@@ | Displays 1 if the current day is a weekday |
@@{calm_is_long_weekday}@@ | Displays 1 if the current day is a weekday from Monday to Saturday |
@@{calm_is_within("time1", "time2")}@@ | Displays 1 if the current time is within the time1 and time2 range |
@@{calm_project_name}@@ | Displays the project name |
@@{calm_username + @nutanix.com}@@ | Displays the username |
@@{calm_float("32.65") * 2}@@
@@{calm_int(calm_array_index) + 1}@@ |
Typecast to integer. This is useful for binary operations. |
@@{calm_string(256) + "-bit"}@@
@@{"xyz" + calm_string(42)}@@ |
Typecast to string. This is useful for string concatenation. |
@@{calm_b64encode(api_response)}@@
@@{calm_b64encode("a,b,c")}@@ |
Base64 encode the data passed to this macro. |
@@{calm_b64encode(b64_encoded_data)}@@
@@{calm_b64encode("YSxiLGM=")}@@ |
Base64 decode the data passed to this macro. |
You can access the properties of a VM by using the platform macros. The following section describes the macros to access the VM properties for different providers.
Macro | Usage |
---|---|
@@{platform}@@ | To access all the properties of a VM. |
@@{platform.status.cluster_reference.uuid}@@ | To access the uuid of the cluster or the Prism element. |
@@{platform.status.resources.nic_list[0].mac_address}@@ |
To access mac the address.
Note:
Use the
nic_list
index to
access the mac address of a specific nic.
|
@@{platform.status.resources.nic_list[0].subnet_reference.name}@@ | To access the NIC name. |
@@{platform.status.resources.power_state}@@ | To get the state of the VM. |
@@{platform.status.num_sockets}@@ | To access number of sockets of the VM. |
Macro | Usage |
---|---|
@@{platform}@@ | To access all the properties of a VM. |
@@{platform.datastore[0].Name}@@ | To access the datastore name. |
@@{platform.num_sockets}@@ | To access number of sockets of the VM. |
Macro | Usage |
---|---|
@@{platform}@@ | To access all the properties of a VM. |
@@{platform.creationTimestamp}@@ | To get the VM creation time stamp. |
@@{platform.selfLink}@@ | To access the self link of the VM. |
@@{platform.networkInterfaces[0].subnetwork}@@ | To access the network details of the VM. |
The following table lists the endpoint macros for HTTP, Linux, and Windows endpoint types.
Macro | Usage |
---|---|
@@{endpoint.name}@@ | Name of the endpoint |
@@{endpoint.type}@@ | Type of the endpoint |
@@{endpoint.length}@@ | Number of IP Addresses in the endpoint |
@@{endpoint.index}@@ | Index of the IP address or VM in a given endpoint |
@@{endpoint.base_url}@@ | Base URL of the HTTP endpoint |
@@{endpoint.connection_timeout}@@ | Time interval in seconds after which the connection attempt to the endpoint stops |
@@{endpoint.retry_count}@@ | Number of attempts the system performs to create a task after each failure |
@@{endpoint.retry_interval}@@ | Time interval in seconds for each retry if the task fails |
@@{endpoint.tls_verify}@@ | Verification for the URL of the HTTP endpoint with a TLS certificate |
@@{endpoint.proxy_type}@@ | HTTP(s) proxy/SOCKS5 proxy to use |
@@{endpoint.base_urls}@@ | Base URLs of HTTP endpoints |
@@{endpoint.authentication_type}@@ | Authentication method to connect to an HTTP endpoint: Basic or None |
@@{endpoint.credential.username}@@ | User name in the credential to access the endpoint |
@@{endpoint.credential.secret}@@ | Credential secret type to access the endpoint: Passphrase or SSH Private Key |
Macro | Usage |
---|---|
@@{endpoint.name}@@ | Name of the endpoint |
@@{endpoint.type}@@ | Type of the endpoint |
@@{endpoint.length}@@ | Number of IP Addresses in the endpoint |
@@{endpoint.index}@@ | Index of the IP address or VM in a given endpoint |
@@{endpoint.address}@@ | IP address to access the endpoint device |
@@{endpoint.port}@@ | Port number to access the endpoint |
@@{endpoint.value_type}@@ | Target type of the endpoint: IP address or VM |
@@{endpoint.addresses}@@ | IP addresses to access endpoint devices |
@@{endpoint.credential.secret}@@ | Credential secret type to access the endpoint: Passphrase or SSH Private Key |
@@{endpoint.credential.username}@@ | User name in the credential to access the endpoint |
Macro | Usage |
---|---|
@@{endpoint.name}@@ | Name of the endpoint |
@@{endpoint.type}@@ | Type of the endpoint |
@@{endpoint.length}@@ | Number of IP Addresses in the endpoint |
@@{endpoint.index}@@ | Index of the IP address or VM in a given endpoint |
@@{endpoint.address}@@ | IP address to access the endpoint device |
@@{endpoint.port}@@ | Port number to access the endpoint |
@@{endpoint.value_type}@@ | Target type of the endpoint: IP address or VM |
@@{endpoint.connection_protocol}@@ | Connection protocol to access the endpoint: HTTP or HTTPS |
@@{endpoint.addresses}@@ | IP addresses to access endpoint devices |
@@{endpoint.credential.secret}@@ | Credential secret type to access the endpoint: Passphrase or SSH Private Key |
@@{endpoint.credential.username}@@ | User name in the credential to access the endpoint |
The following table lists the runbook macros.
Macro | Usage |
---|---|
@@{calm_runbook_name}@@ | Name of the runbook |
@@{calm_runbook_uuid}@@ | Universally unique identifier (UUID) of the runbook |
The following table lists the common properties of the virtual machine that are available for usage.
Properties | Usage |
---|---|
@@{address}@@ | IP address of the instance that is used by Calm to access the VM |
@@{id}@@ | ID of the platform identifier |
@@{name}@@ | Name of the VM or container |
@@{mac_address}@@ | Mac address of the VM |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
Macros provide a way to access the values of variables that you set on entities. Variables are either user defined or added to the entities by Calm. Variables are always present within the context of a Calm entity and are accessible directly in scripts running on that entity or any of its child entities.
The variable value of a parent entity can be accessed by the child entity unless the properties or the variables are overridden by another entity.
For example, if Variable1 is a variable that you defined on the application profile, then all child entity of the application profile can directly access the value of Variable1 in any task or script running on it as @@{variable1}@@ unless overridden by another entity.
Variables are directly accessed as @@{variable_name}@@ within any task on an entity where the variable is defined and all child entity that inherit this variable. This syntax only delivers the value for the corresponding replica in which the task is running. To get comma-separated values across replicas, you can use @@{calm_array_variable_name}@@ .
For example, on a service with 2 replicas, if you set a backup_dir variable through a set variable Escript task such as:
print "backup_dir=/tmp/backup_@@{calm_array_index}@@"
You get /tmp/backup_0 and /tmp/backup_1 values for replica 0 and 1 respectively.
When a task runs on this service with the echo "@@{backup_dir}@@" script, the script evaluates the following values in each replica of the service:
/tmp/backup_0
/tmp/backup_1
When you change the script to echo "@@{calm_array_backup_dir}@@" , the script evaluates to the following values in each replica of the service:
/tmp/backup_0,/tmp/backup_1
/tmp/backup_0,/tmp/backup_1
The syntax to access the value of variables or properties of other entities or dependencies is @@{<entity name>.<variable/attribute name>}@@ where entity name , is the name of the other entity or dependency and variable/attribute name is the name of the variable or attribute. For example:
Action-level variables are variables that are associated to an action and passed as an argument to the runlog when you run the action. Service action variables are unique for each service while the profile action variables are unique for each profile across all services and replicas. If you deploy five replicas, the service action variables will be the same across all replicas.
Action variables are used in the context of running an action and are defined at the action level. For example, if you have an action to install or uninstall a package on a particular VM, you can have the following action variables.
With multiple runs of this action, you can then install or uninstall multiple packages on the VM.
The following table lists the Nutanix variables that are available for usage.
Variables | Usage |
---|---|
@@{address}@@ | IP address of the instance that is used by Calm to access the VM |
@@{id}@@ | ID of the platform identifier |
@@{name}@@ | Name of the VM or container |
@@{mac_address}@@ | Mac address of the VM |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the built-in VMware macros that you can use to retrieve and display the entities.
Properties | Usage |
---|---|
@@{address}@@ | IP address of the instance that is used by Calm to access the VM |
@@{id}@@ | ID of the platform identifier |
@@{name}@@ | Name of the VM or container |
@@{mac_address}@@ | Mac address of the VM |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the built-in AWS macros that you can use to retrieve and display the entities.
Macros | Usage |
---|---|
@@{address}@@ |
IP address of the instance that is used by Calm to access the VM.
Note:
The
VM Name
field does not support this macro.
|
@@{id}@@ |
Internal ID of the instance that is used within the Prism.
Note:
The
VM Name
field does not support this macro.
|
@@{name}@@ |
Name of the VM.
Note:
The
VM Name
field does not support
this macro.
|
@@{aws_instance_id}@@ | Instance ID of AWS |
@@{private_ip_address}@@ | Private IP address |
@@{private_dns_name}@@ | Private DNS name |
@@{public_ip_address}@@ | Public IP address |
@@{public_dns_name}@@ | Public DNS name |
@@{vm_zone}@@ | AWS zone of instance |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the built-in GCP macros that you can use to retrieve and display the entities.
Macros | Usage |
---|---|
@@{address}@@
@@{ip_address}@@ @@{public_ip_address}@@ |
IP address of the instance that is used by Calm to access the VM.
Note:
The
VM Name
field does not support this macro.
|
@@{id}@@ |
Internal ID of the instance that is used within the Prism.
Note:
The
VM Name
field does not support this macro.
|
@@{name}@@ |
Name of the VM.
Note:
The
VM Name
field does not support
this macro.
|
@@{zone}@@ | Zone in which the VM instance is created. |
@@{platform_data}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
@@{internal_ips}@@ | List of all the private IP addresses. |
@@{external_ips}@@ | List of all the public IP addresses. |
The following table lists the built-in Azure macros that you can use to retrieve and display the entities.
Macros | Usage |
---|---|
@@{address}@@ |
IP address of the instance that is used by Calm to access the VM.
Note:
The
VM Name
field does not support this macro.
|
@@{id}@@ |
Internal ID of the instance that is used within the Prism.
Note:
The
VM Name
field does not support this macro.
|
@@{name}@@ |
Name of the VM.
Note:
The
VM Name
field does not support
this macro.
|
@@{private_ip_address}@@ | Private IP address |
@@{public_ip_address}@@ | Public IP address |
@@{resource_group}@@ | Resource group name in which the VM instance is created. |
@@{platform_data}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the Kubernetes variables that are available for usage.
Properties | Usage |
---|---|
@@{K8sPublishedService.address}@@ | IP address of the service. |
@@{K8sPublishedService.name}@@ | Name of the service. |
@@{K8sPublishedService.ingress}@@ | Load balancer IP for public service. |
@@{K8sPublishedService.platform}@@ | Platform data for the service. |
@@{K8sDeployement.name}@@ | Name of the deployment. |
@@{K8sDeployement.platform}@@ | Platform data for the deployment. |
Categories (or tags) are metadata labels that you assign to your cloud resources to categorize them for cost allocation, reporting, compliance, security, and so on. Each category is a combination of key and values.
Your providers impose a limit to the number of tags that you can use for cloud governance. The following table lists the category or tag limit imposed by each provider:
Providers | Category or Tag Limit |
---|---|
Nutanix | 30 |
AWS | 50 |
VMware | No limit |
GCP | 15 |
Azure | 15 |
Calm reserves 6 tags out of the total tags allowed by your provider and populates them automatically when you provision your VMs using Calm. For example, AWS allows a limit of 50 tags. When you provision your VM on AWS using Calm, 6 out of 50 tags are automatically populated with keys and values specific to Calm VM provisioning. You can use the remaining 46 tags to define other key-value pairs.
The following table lists the Calm-specific categories or tags and their availability for different providers:
Categories or Tags | Nutanix | AWS | VMware | GCP | Azure |
---|---|---|---|---|---|
account_uuid | X | X | X | X | |
CalmApplication | X | X | X | X | X |
CalmService | X | X | X | X | X |
CalmUsername | X | X | X | X | X |
Calm Project | X | X | X | X | |
OSType | X | X | X | X | X |
A single-VM blueprint is a framework that you can use to create and provision an instance and launch applications that require only one virtual machine.
Single-VM blueprints enable you to quickly provide Infrastructure-as-a-Service (IaaS) to your end users.
You can create single-VM blueprints with your Nutanix, VMware, AWS, GCP, or Azure accounts. Use these steps to create a single-VM blueprint with any of your provider accounts.
Perform the following steps to do the preliminary setup of your single-VM blueprint.
Perform the following steps to add VM details to your blueprint.
Configuring the VM in your blueprint is specific to the provider account and the operating system you select for your blueprint. You can configure the VM in a blueprint with Nutanix, VMware, AWS, GCP, or Azure accounts.
Perform the following steps to configure the VM in a single-VM blueprint for your Nutanix account.
vm-@@{calm_time}@@
. For more information on Calm macros,
see Macros Overview.
Perform the following steps to configure the VM in a single-VM blueprint for your VMware account.
Templates allow you to create multiple virtual machines with the same characteristics, such as resources allocated to CPU and memory or the type of virtual hardware. Templates save time and avoid errors when configuring settings and other parameters to create VMs. The VM template retrieves the list options from the configured vCenter.
For more information, refer to VMware KB articles.
A content library stores and manages content (VMs, vApp templates, and other types of files) in the form of library items. A single library item can consist of one file or multiple files. For more information about the vCenter content library, see the VMware Documentation .
Perform the following steps to configure the VM in a single-VM blueprint for your GCP account.
Perform the following steps to configure the VM in a single-VM blueprint for your AWS account.
Perform the following steps to configure the VM in a single-VM blueprint for your Azure account.
The Resource Group list displays the resource groups that are associated with the subscriptions you selected in your Azure account. In case you have not selected any subscriptions, Calm considers all the subscriptions that are available in the Azure service principal to display the resource groups. Each resource group in the list also displays the associated subscription.
Perform the following steps to configure the VM in a single-VM blueprint for your Xi Cloud account.
vm-@@{calm_time}@@
. For more information on Calm macros,
see Macros Overview.
Xi Infrastructure Service Admininistration
Guide
.
Perform the following steps to configure advanced options such as credentials, packages, pre-create and post-delete tasks. Configuring advanced options is optional for a blueprint.
Perform the following steps to configure pre-create task, post-delete task, install package, or uninstall package in a single-VM blueprint.
Perform the following steps to configure application variables in your blueprint.
[
{
"display": "HTML Tutorial",
"url": "https://www.w3schools.com/html/default.asp"
},
{
"display": "CSS Tutorial",
"url": "https://www.w3schools.com/css/default.asp"
},
{
"display": "JavaScript Tutorial",
"url": "https://www.w3schools.com/js/default.asp"
},
{
"display": "jQuery Tutorial",
"url": "https://www.w3schools.com/jquery/default.asp"
},
{
"display": "SQL Tutorial",
"url": "https://www.w3schools.com/sql/default.asp"
},
{
"display": "PHP Tutorial",
"url": "https://www.w3schools.com/php/default.asp"
},
{
"display": "XML Tutorial",
"url": "https://www.w3schools.com/xml/default.asp"
}
]
Then,
during the launch time the list options are ["HTML Tutorial","CSS
Tutorial","JavaScript Tutorial","jQuery Tutorial","SQL Tutorial","PHP
Tutorial","XML Tutorial"].
A multi-VM blueprint is a framework that you can use to create an instance, provision, and launch applications that require multiple VMs.
In a Multi-VM blueprint, you can define the underlying infrastructure of the VMs, application details, and actions that are carried out on a blueprint until the termination of the application.
Services are the virtual machine instances, existing machines or bare-metal machines, that you can provision and configure by using Calm. A service exposes the IP address and ports on which the request is received. You can either provision a single-service instance or multiple services based on the topology of your application.
For more information about services in Calm, see Services Overview.
You can define and configure the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application for a service provider.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on a Nutanix platform.
vm-@@{calm_array_index}@@-@@{calm_time}@@
. For more
information on Calm macros, see Macros Overview.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on an AWS platform.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on a VMware platform.
Templates allow you to create multiple virtual machines with the same characteristics, such as resources allocated to CPU and memory or the type of virtual hardware. Templates save time and avoid errors when configuring settings and other parameters to create VMs. The VM template retrieves the list options from the configured vCenter.
For more information, refer to VMware KB articles.
A content library stores and manages content (VMs, vApp templates, and other types of files) in the form of library items. A single library item can consist of one file or multiple files. For more information about the vCenter content library, see the VMware Documentation .
To know the supported VMware guest tools versions, see the
VMware Product Interoperability Matrices .
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on a GCP platform.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on an Azure platform.
The Resource Group list displays the resource groups that are associated with the subscriptions you selected in your Azure account. In case you have not selected any subscriptions, Calm considers all the subscriptions that are available in the Azure service principal to display the resource groups. Each resource group in the list also displays the associated subscription.
For Windows VMs, the Store field specifies the certificate store on the virtual machine to which the certificate is added. The specified certificate store is implicitly created in the LocalMachine account.
For Linux VMs, the certificate file is placed under the /var/lib/waagent directory. The format of the file name is <UppercaseThumbprint>.crt for the X509 certificate and <UppercaseThumbpring>.prv for private key. Both of these files are .pem formatted.
The following section describes Azure troubleshooting.
/home/calm/log/styx.log
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on Xi cloud provider.
Xi Infrastructure Service Admininistration
Guide.
Perform the following procedure to configure Kubernetes Deployment, Containers, and Service.
A Pod is the basic execution unit of a Kubernetes application and the smallest and simplest unit in the Kubernetes object model that you create or deploy. A Pod represents processes running on your cluster.
Labels are key/value pairs that are attached to objects, such as pods. You can use Labels to specify identifying attributes of objects that are meaningful and relevant to users, but do not directly imply semantics to the core system. You can also use Labels to organize and to select subsets of objects. You can attach Labels to objects either at the creation time or later. Each object can have a set of key/value labels defined. Each key must be unique for a given object.
NodePort
). A
ClusterIP
Service, to which the
NodePort
Service routes, is automatically created.
You'll be able to contact the
NodePort
Service, from
outside the cluster, by requesting
<NodeIP>:<NodePort>
.
NodePort
and
ClusterIP
Services, to which the external load
balancer routes, are automatically created.
Labels are key/value pairs that are attached to objects, such as pods. You can use Labels to specify identifying attributes of objects that are meaningful and relevant, but do not directly imply semantics to the core system. You can also use Labels to organize and select subsets of objects. You can attach Labels to objects at creation time and add or modify at any time. Each object can have a set of key/value labels defined. Each key must be unique for a given object.
Dependencies are used to define the order in which tasks must get executed. Perform the following procedure to set up the service dependency.
An application profile provides different combinations of the service, package, and VM while configuring a blueprint. You configure application profiles and use them while launching a blueprint.
[
{
"display": "HTML Tutorial",
"url": "https://www.w3schools.com/html/default.asp"
},
{
"display": "CSS Tutorial",
"url": "https://www.w3schools.com/css/default.asp"
},
{
"display": "JavaScript Tutorial",
"url": "https://www.w3schools.com/js/default.asp"
},
{
"display": "jQuery Tutorial",
"url": "https://www.w3schools.com/jquery/default.asp"
},
{
"display": "SQL Tutorial",
"url": "https://www.w3schools.com/sql/default.asp"
},
{
"display": "PHP Tutorial",
"url": "https://www.w3schools.com/php/default.asp"
},
{
"display": "XML Tutorial",
"url": "https://www.w3schools.com/xml/default.asp"
}
]
Then,
during the launch time the list options are ["HTML Tutorial","CSS
Tutorial","JavaScript Tutorial","jQuery Tutorial","SQL Tutorial","PHP
Tutorial","XML Tutorial"].
Blueprint configuration involves adding tasks, actions, snapshot and restore configurations, and VM update configurations.
Perform the following procedure to configure a blueprint.
Credentials are used to authenticate a user to access various services in Calm. Calm supports static and dynamic credentials with key-based and password-based authentication methods.
You configure a check log-in task to check whether you are able to SSH into the VM you create. Perform the following steps to configure check log-in.
You can either select the public IP address or private IP address of a NIC.
Delay timer defines the time period when the check login script is run after the VM starts. It allows you to configure the delay time to allow guest customization script, IP, and all other services to come up before running the check login script.
Tasks are part of your deployment creation process and are run one after the other. The tasks are used to perform a variety of operations such as setting up your environment, installing a set of software on your service, and so on.
You have the following basic types of tasks.
Pre-create tasks are actions that are performed before a service is provisioned in a blueprint. For example, if you want to assign static IP addresses to your VMs by using IPAM service, you can create and run a pre-create task to receive the IP addresses before the service is provisioned. The pre-create task helps to restrict the broadcast traffic to receive the IP addresses for those VMs during the service provision.
Post-delete tasks are actions that are performed after you delete a service in a blueprint. For example, if you want to delete the assigned IP addresses from your VMs, you can add a post-delete task to delete the IP addresses after the service is deleted. The post-delete task helps to restrict the broadcast traffic to delete the IP addresses for those VMs during the service provision.
You can create the Execute task type to run scripts on the VM.
eScripts
, see Supported eScript Modules and Functions.
For sample
Powershell
scripts, see Sample Powershell Script.
You can create a Set Variable task type to change variables in a blueprint.
Escripts
, see Supported eScript Modules and Functions.
For sample
Powershell
scripts, see Sample Powershell Script.
You can create an HTTP task type to query REST calls from a URL. An HTTP task supports GET, PUT, POST, and DELETE methods.
You can create a Delay task type to set a time interval between two tasks or actions.
Pre-create tasks are actions that are performed before a service is provisioned in a blueprint. Post-delete tasks are actions that are performed after you delete a service in a blueprint.
Actions are flows to accomplish a particular task on your application. You can use actions to automate any process such as backup, upgrade, new user creation, or clean-up and enforce an order of operations across services.
You can categorize actions into the following types.
Type | Description |
---|---|
Profile Actions |
Application Profile Actions are a set of operations that you can run on your
application. For example, when you launch a blueprint, the Create action is run. When
you do not need the application for a period of time, you can run the Stop action to
gracefully stop your application. When you are ready to resume your work, you can run
Start action to bring the application back to the running state.
You have the following types of profile actions.
|
Service Actions |
Service Actions are a set of operations that are run on an individual service.
These actions cannot be run directly by the application user but can be run indirectly
using either a profile actions or a package install or uninstall operation.
Services span application profiles. For example, if you create a service action in the AHV profile, the same service action is available in the AWS profile as well. You have the following types of service actions.
|
The following are the most common custom actions that developers add to their blueprints:
Custom Action | Description |
---|---|
Scale In |
The scale-in functionality enables you to decrease the number of replicas of a
service deployment. The number of instances to be removed from a service for each
scale-in action is defined in the blueprint while configuring the task in the
profile level action.
The scale count number must be less than or equals to the minimum number of replicas defined for the service. The VM that is created last is deleted first. For information on how to configure scale in, see Adding and Configuring Scale Out and Scale In. |
Scale Out |
The scale out functionality enables you to increase the number of replicas of a
service deployment. The number of instances to be added to a service for each
scale-out action is defined in the blueprint while configuring the task in the
profile level action.
The scale count number must be less than or equals to the maximum number of replicas defined for the service. For information on how to configure scale out, see Adding and Configuring Scale Out and Scale In. |
For information about how to create an action, see Adding an Action to a Multi-VM Blueprint and Adding an Action to a Single-VM Blueprint.
An action is a set of operations that you can run on your application that are created as a result of running a blueprint.
An action is a set of operations that you can run on your application that are created as a result of running a blueprint.
Perform the following procedure to add and configure the Scale Out and Scale In task.
The snapshot and restore feature allows you to create a snapshot of a virtual machine at a particular point in time and restore from the snapshot to recreate the application VM from that time. You can configure snapshot and restore for both single-VM and multi-VM applications on a Nutanix platform. All you need to do is to add the snapshot/restore configuration to the blueprint. Adding the configuration generates separate profile actions for snapshot and restore to which you can add further tasks and actions.
For VMware, AWS, and Azure platforms, the snapshot and restore feature is available by default only to the single-VM applications.
For more information on blueprint configuration for snapshots, see Configuring Single-VM Blueprints with Nutanix for Snapshots and Configuring Multi-VM Blueprints on Nutanix for Snapshots.
The snapshot/restore action for single-VM applications with Nutanix is no longer available by default. To enable snapshot, you must add a snapshot/restore configuration to the single-VM blueprint. You can configure to create snapshots locally or on a remote cluster. Snapshot and restore is a paired action in a blueprint and are always managed together.
The snapshot/restore configuration generates separate application profile actions for snapshot and restore. These actions also allow you to add more tasks and actions as part of the snapshot and restore configuration. For example, shutting down the application and the VM before creating the snapshot or restarting the VM before a restore. You can access these actions from the Manage tab of the Applications page.
snapshot-@@{calm_array_index}@@-@@{calm_time}@@
.
You can configure the snapshot/restore action in a blueprint on Nutanix account to create snapshots locally or on a remote cluster. Snapshot/restore is a paired action for a particular service in a blueprint and are always managed together.
The snapshot/restore definition of a service generates snapshot configuration and its corresponding restore configuration. You can use these configurations to modify your snapshot and restore setup.
The snapshot/restore configuration generates separate application profile actions for snapshot and restore. These actions allow you to add more tasks and actions as part of the snapshot and restore configuration. For example, shutting down the application and the VM before creating the snapshot or restarting the VM or services before a restore. You can access these actions from the Manage tab of the Applications page to create or restore snapshots.
snapshot-@@{calm_array_index}@@-@@{calm_time}@@
.
The update configuration feature allows you to update virtual machines of running applications on Nutanix to a higher or lower configuration. Using this feature, you can modify VM specifications such as the vCPU, memory, disks, networking, or categories (tags) of a running application with minimal downtime. You no longer have to create new blueprints or approach your IT administrator to modify VM resources.
To update configurations of a running application VM, you need to perform the following actions:
As a blueprint developer, you can add update configurations for a service in the blueprint. These update configurations are at the parallel level of application profile actions and can be executed individually for a particular service. As part of the configuration, you can do the following:
For example, consider a case where the original vCPU value in the blueprint is 4. You then add a change factor to the update configuration to increase the vCPU by 1 with a maximum limit of 5. When this update is launched, you can run the action only once to increase the vCPU to 5. Once the VM is upgraded to 5 vCPU, you cannot add any more vCPUs to the VM.
The update configuration generates the corresponding action where you can add tasks to define how you want to execute the update.
For more information about adding update configuration to a blueprint, see Adding an Update Configuration to Single-VM Blueprints and Adding an Update Configuration to Multi-VM Blueprints.
You can update VM specifications from the Manage tab of applications on Nutanix. For more information, see Update VM Configurations of Running Applications.
As a blueprint developer, you can add an update configuration to a single-VM application blueprint.
The update configuration feature allows you to update the virtual machine of a running single-VM application to a higher or lower configuration. For more information, see Update Configuration for VM.
As a blueprint developer, you can add an update configuration for a service to a multi-VM application blueprint.
The update configuration feature allows you to update virtual machines of running multi-VM applications to a higher or lower configuration. For more information, see Update Configuration for VM.
After you configure a blueprint, you can publish, unpublish, launch, or delete a blueprint.
Publishing a blueprint allows you to make the blueprint available at Marketplace, so that other users can use the published blueprint. Unpublishing a blueprint allows you to remove the blueprint from the Marketplace. For more information, see Submitting a Blueprint for Approval.
Launching a blueprint allows you to deploy your application on the blueprint and start using it.
The blueprint launch page provides the following views:
Blueprints that are launched from the marketplace display only the fields that require inputs from consumers. Displaying only editable fields offers a simpler and easy launching experience for your consumers.
You can switch to View as Developer after you develop your blueprints to verify how you configured different fields and the launching experience the configuration will provide to your consumers.
For more information, see Launching a Blueprint.
After you configure a blueprint, you can submit the blueprint to get an approval from the administrator. The administrator approves the blueprint and then publishes the blueprint at the marketplace for consumption.
You launch a blueprint to deploy an application on the blueprint and start using the application.
If the validation is successful, the application is available under the Application tab.
When you enter the platform data that is invalid for a provider while creating a blueprint, you get a validation error. The following table details the invalid platform data for each provider.
Providers | Invalid Platform Data |
Nutanix | Image, NIC List, and Categories. |
GCP | Machine Type, Disk Type, Network, SubNetwork, Source, Image, Zone, and Blank Disk. |
AWS | Vpc, Security Groups, and Subnets. |
VMware | Network name, NIC Type, NIC settings mismatch, Host, Template, Datastore, Datacenter, Storage Pod, and cluster. |
Azure | Image details (publisher, offer, sku, version), Custom image, Resource group, Availability Set Id, NIC List, Network Security group, Virtual Network Name, and Subnet Name. |
The platform validation error message appears as displayed in the following image.
You can also upload configured blueprints to the Blueprints tab. Perform the following procedure to upload a blueprint.
You can also download a configured blueprint to your local machine and use it later. Perform the following procedure to download a blueprint.
Perform the following procedure to view a blueprint.
You can edit a configured blueprint from the blueprints tab. Perform the following procedure to edit a blueprint.
Perform the following procedure to delete a blueprint.
If you have configured wrong details in your blueprint, you can view the error message while saving or publishing a blueprint. Perform the following procedure to view blueprint error message.
You can recover the deleted application blueprints within a time period of 90 days after you delete an application blueprint. This chapter describes the procedure to recover a deleted blueprint.
The marketplace provides preconfigured application blueprints and runbooks for instant consumption. The marketplace is a common platform for both publishers and consumers.
The marketplace has banners to display featured applications. All listed applications display the icon of the platform that supports the application.
You can filter applications or runbooks based on their category and source. You can also search an application or runbook in the marketplace.
Before provisioning an application, you can view details such as application overview, changes made in different versions, and application-level actions.
You can view application details such as licensing, installed resources, hardware requirements, operating systems, platforms, and limitations before you provision the application. You can also view the changes made in different versions and application-level actions.
Perform the following procedure to filter application blueprints or runbooks in the marketplace.
Perform the following procedure to search an application blueprint or runbook.
You can use the Marketplace tab to launch an application blueprint that is approved and published to the marketplace. The application launch page displays the fields that are editable by the consumer.
Following are the rules for naming convention.
VM configurations in blueprints and environments are associated with accounts. The environment patching depends on the account that you associate with the marketplace blueprint and the environment you configured.
To patch a cloud provider VM that has a specific OS type, Calm finds the corresponding match in the environment. In case there are no matches available, Calm displays a notification.
The following table lists the environment patching behavior for platform-dependent and platform-independent fields:
Fields | Condition | Patching Behavior |
---|---|---|
Platform-Dependent Fields | When different accounts are associated with the blueprint and environment | Values from the environment get preference for patching, irrespective of the values in the blueprint. |
Platform-Dependent Fields | When the blueprint and the environment have the same account | Values from the environment are patched only when the fields do not have any value in the blueprint. |
Platform-Independent Fields | When different accounts are associated with the blueprint and environment | Values from the environment are patched only when the fields do not have any value in the blueprint. |
Platform-Independent Fields | When the blueprint and the environment have the same account | Values from the environment are patched only when the fields do not have any value in the blueprint. |
The following table lists the platform-dependent fields for different platforms.
Platform | Platform-Dependent Fields |
---|---|
Nutanix | Image, Categories, Cluster, and NIC |
AWS | Machine Image, Key, Instance Profile Name, VPC ID, Subnet ID, and Security Group List |
GCP | Machine Type, Zone, Network, Disk Type, Source Image, and Email |
VMware | Host, Template, Datastore, Cluster, Storage Pod, Network Name, NIC Type, Disk Location, Disk ISO Path, Folder, and Tag List |
Azure | Resource Group, Location, Availability Set ID, Resource Group Details, Resource Group Operation, Network Security Group Name, Network Name, Subnet Name, Network Security Group ID, Virtual Network ID, Subnet ID, Publisher, Offer, SKU, Version, Source Image Type, and Source Image ID |
Assume that you have two Nutanix Prism Central accounts PC1 and PC2, and you added these accounts to your project (Project1). You then create two environments in the project with the following VM configuration:
ENV1 | ENV2 |
---|---|
|
|
You then create a blueprint with a Nutanix service under Project1 having the following configuration:
When you publish this blueprint in the marketplace and launch the blueprint with a different environment, the environment patching happens as follows:
Because different accounts are associated with the blueprint and environment, all platform-dependent field values are patched from the environment to the blueprint, irrespective of the values already available in the blueprint. The blueprint is launched with the following configuration.
Because the account is same for both blueprint and environment and all the platform-dependent fields already have values, the patching does not happen. The blueprint is launched with the following configuration.
Assume that you have a Prism Central account PC1 that is associated with two Prism Elements PE1 and PE2, and you add PC1 to your project (Project1).
Assume that the associated Prism Elements have the following networks.
You then create two environments with the following VM configuration:
ENV1 | ENV2 |
---|---|
|
|
You then create a blueprint with a Nutanix service under Project1 having the following configuration:
When you publish this blueprint in the marketplace and launch the blueprint with a different environment, the environment patching happens as follows:
Prism Element accounts are derived from the NIC or subnet. The PE1_Net2 network used in the blueprint associates the blueprint to Prism Element PE1, and the PE2_Net1 network used in ENV2 associates the environment to Prism Element PE2.
Because these two networks are connected to two
different Prism Element
account_uuid
, Calm considers this case as two
different accounts associated with the blueprint and environment. All platform-dependent
field values are, therefore, patched from the environment to the blueprint, irrespective
of the values already available in the blueprint. The blueprint is launched with the
following configuration.
The PE1_Net2 network used in the blueprint and the PE1_Net1 network used in ENV belong to the same Prism Element account.
Because these two networks share the same Prism Element
account_uuid
, Calm considers this case as the same account associated
with both the blueprint and environment. Platform-dependent fields in this case already
have values, and the patching does not happen. The blueprint is launched with the
following configuration.
Patching of credentials happens only when you publish your blueprints in the marketplace without secrets.
For patching, the credentials of the marketplace blueprint are mapped with the environment using the associated provider account and operating system type. The password or the key value of the corresponding environment is then patched to the blueprint. The credential name and the credential username are never patched from the environment.
For example, if the blueprint and the environment have the following configurations:
Blueprint | Environment |
---|---|
|
|
The credentials patching in the blueprint happens as follows:
When Blueprint is Published with Secrets | When Blueprint is Published without Secrets |
---|---|
|
|
The Cluster field is platform dependent. The environment patching logic of a platform-dependent field depends on the account that you associate with the marketplace item and the VM configuration of the environment.
Condition | Patching Behavior |
---|---|
When the cluster reference in the blueprint and in the environment VM configuration is the same. | No patching happens. The cluster reference from the blueprint is used for the launch. |
When the cluster reference in the blueprint and in the environment VM configuration is different. | Patching happens. The cluster value is patched from the environment for the launch. |
When the cluster reference in the blueprint is a macro.
Note:
Cluster reference
can be a macro only when all the subnets are overlay subnets or all the subnets are
macros.
|
No patching happens. The cluster value will remain as a macro.
When the reference is a macro, it is independent of the environment or the account that is being used for launch. |
VLAN subnets are platform dependent. The environment patching logic of VLAN subnets depends on the cluster reference of the blueprint and the cluster reference of the associated environment VM configuration.
Overlay subnets are VPC dependent. The environment patching logic of these subnets depends on the VPC reference in the blueprint and the VPC reference of the associated environment VM configuration.
All subnets in the substrate of a blueprint can either have overlay subnets or VLAN subnets. If subnets are overlay subnets, then all the subnets in the substrate must belong to the same VPC.
Condition | Patching Behavior |
---|---|
When the VLAN subnets in the blueprint and in the environment VM configuration is the same. | No patching happens. VLAN subnets are platform dependent. The VLAN subnet values referred in the blueprint are used. |
When the VLAN subnets in the blueprint and in the environment VM configuration is different. | Patching happens. VLAN subnets are platform dependent. The VLAN subnet values are patched from the environment. |
When the VPC reference of the subnets (overlay subnets) in the blueprint and the environment VM configuration is the same. |
No patching happens. The subnet values of the blueprint are used for the
launch.
Values from the environment is patched only if it is empty in the blueprint or not allowed in the destination environment. |
When the VPC reference of the subnets (overlay subnets) in the blueprint and the environment VM configuration is different. | Patching happens. The subnet values are patched directly from the environment. |
When the network type in the blueprint and the environment VM configuration are different (for example, overlay subnets in the blueprint and VLAN subnets in the environment). | Patching happens. The subnet values are patched directly from the environment. |
When the subnet reference of the any of the NICs in the blueprint is a macro. | Patching follows the usual conditions. However, the macros are never patched. |
You can execute a runbook an approved and published runbook using the Marketplace tab.
You can clone an application blueprint or runbook from the marketplace.
Use Marketplace Manager to manage the list of custom blueprints, ready-to-use marketplace application blueprints, and runbooks. You can approve, reject, launch, publish, unpublish, assign a category, and select projects for a blueprint. You can also approve, reject, publish, unpublish, and execute runbooks.
The Approved tab on the Marketplace Manager page provide you a list of ready-to-use application blueprints and the custom blueprints or runbooks you approved. The Approval Pending tab provides a list of custom blueprints and runbooks that require your approval to be available in the Marketplace for consumption.
When you select a blueprint or runbook from the list on any tab, the inspector panel displays the operations you can perform on the selected blueprint or runbook. The inspector panel also displays a brief overview of the blueprint or runbook and allows you to assign projects to blueprint or runbook.
You can perform the following actions on blueprints or runbooks.
Marketplace version enables you to define the initial version number of the blueprint or runbook that is getting published to the marketplace. Marketplace version also enables you to revise the version of a blueprint or runbook that is already published to the marketplace. For information about how to define marketplace version, see Submitting a Blueprint for Approval or Submitting a Runbook for Publishing.
You can approve custom blueprints or runbooks that are submitted for approval on the Approval Pending tab. You can also publish the approved blueprints or runbooks to the marketplace after associating them with a project on the Approved tab.
The Approved tab also displays the ready-to-use application blueprints that are available after enabling the Nutanix Marketplace Apps toggle button on the Settings page. These application blueprints do not require approval and can be published directly to the marketplace after associating them with a project. For more information about enabling the ready-to-use applications, see Enabling Nutanix Marketplace Applications.
You can unpublish a blueprint or runbook if you do not want to list it in the Marketplace. You can publish the blueprint or runbook again if required.
You can delete a blueprint or runbook that is not published in the marketplace. If you want to delete a published blueprint or runbook, you first have to unpublish it and then delete it.
You create applications in Calm by creating and launching blueprints.
The Applications page displays the list of all published applications under the Applications tab and the list of brownfield applications under the Brownfield Applications tab.
The Applications page provides the following details about an application.
You have the following application-level actions.
You cannot perform the Create action after the blueprint is launched and the application is created. You can perform all other application-level actions according to the application state.
You can also perform advanced application actions such as creating or restoring snapshots, updating VM configuration, or cloning an application. See the Advanced Application Actions chapter in this guide for details.
The applications page displays the state of the application based on the actions you perform on the Manage tab.
Application State | Description |
---|---|
Provisioning | When you start an application. |
Running | When the application is deployed and running after the provisioning state. |
Stopping | When you have initiated an operation to stop the application. |
Stopped | When the application is stopped. |
Restarting | When you have initiated an operation to restart the application after the application is stopped. |
Deleting | When you have initiated an operation to delete the application. |
Deleted | When the application is deleted. |
Busy | When you have installed the NGT services on the VMs of an application. |
Updating | When you are editing an application. |
Error | When the application goes to error state due to any action you have performed in the Manage tab. |
Failover-in-progress | When you have initiated a failover operation on Prism Central for the protected VMs of an application. |
Failover-failed |
When the failover operation for the VMs has failed. The failure state mainly
occurs in the following conditions.
|
You can click an application name to get details about the application as shown in the following figure.
The application page consists of the following tabs.
The Overview tab consists of the following panels.
Panel | Description |
---|---|
Application Description | Displays the application description. |
Variables | Displays the variable list used to create the blueprint. You can click the copy icon next to the variable to copy the variable. |
Cost Summary |
Displays the total cost, current cost for each hour, and the cost incurred in a
month for the resources that are running in the blueprint. The cost summary panel also
displays a graphical representation of the incurred cost.
Note:
The
Cost
Summary
panel is applicable for Nutanix and VMware
providers.
|
App Summary |
Displays the following application details.
|
App Status |
Displays the summary of virtual machines (VMs). The panel displays the number of
VMs that are in the following state.
|
VM info |
Displays the following VM details of the application.
|
The Manage tab lists the system-generated and user-created actions that you can perform on the application. When you click any of the listed actions, the editor displays the action dependencies.
You can perform the following system-generated actions on an application.
Nutanix guest tools (NGT) is a software bundle that you can install in a guest virtual machine (Microsoft Windows or Linux) to enable the advanced functionalities provided by Nutanix. For more information on NGT, see the Nutanix Guest Tool section in the Prism Web Console Guide .
The inspector panel also displays the action you perform on an application. To view the detailed course of the action, click Action .
The Metrics tab allows you to view performance metrics of the VM. The Metrics tab displays a section on the left with a list of metrics.
The following table describes the available metrics.
Metric | Description |
---|---|
CPU usage | Displays the percentage of CPU capacity currently the VM is using (0–100%). |
CPU ready Time | Displays the current, high, and low percentage of CPU ready time (0–100%). |
Memory usage | Displays the percentage of memory capacity currently the VM is using (0–100%). |
I/O Bandwidth | Displays separate graphs for total, write (only), and read (only) I/O bandwidth used per second (Mbps or KBps) for physical disk requests by the VM. |
I/O Latency | Displays separate graphs for total, write, and read average I/O latency (in milliseconds) for physical disk requests by the VM. |
IOPS | Displays separate graphs for total, write, and read I/O operations per second (IOPS) for the VM. |
Usage | Displays separate graphs for current, snapshot, and shared storage usage (in GiBs) by the VM. |
Working set size | Displays separate graphs for total, write, and read storage usage (in GiBs) for the VM working set size. |
Network packets dropped | Displays separate graphs for the number of transmitted and received packets dropped. |
Network bytes | Displays separate graphs for the amount of transmitted and received bytes (in GiBs). |
The Recovery Points tab allows you to view the captured snapshots, restore applications from snapshots, and delete the snapshots for an application.
The Recovery Points tab applies only to single VM blueprints running with Nutanix as the provider.
To create snapshots of the single-VM or multi-VM applications that are running on Nutanix platform, use the snapshot action on the Manage tab of the application.
Fields | Description |
---|---|
Name | Displays the name of the snapshots. |
Creation Time | Displays the date and time of the snapshot creation. |
Location | Displays the location where the snapshot was taken. |
Expiration Time | Displays the expiration time of the snapshot. |
Recovery Point Type | Displays whether the snapshot type is application-consistent or crash-consistent. |
The Snapshot tab allows you to view the captured snapshots, restore applications from snapshots, and delete the snapshots for an application. Use this tab to create snapshots of single-VM applications that are running on VMware or Azure.
Fields | Description |
---|---|
ID | Displays the ID of the snapshots. Snapshot IDs are unique and automatically generated when you take a snapshot. |
Name | Displays the name of the snapshot. |
Description | Displays the description of the snapshot. |
Parent | Displays the parent blueprint application from which the snapshot is taken. |
Creation Time | Displays the date and time when the snapshot is taken. |
The AMIs tab allows you to view the captured snapshots, restore applications from snapshots, and delete the snapshots for an application.
Fields | Description |
---|---|
ID | Displays the ID of the snapshots. Snapshot IDs are unique and automatically generated when you take a snapshot. |
Name | Displays the name of the snapshot. |
Description | Displays the description of the snapshot. |
Creation Time | Displays the date and time when the snapshot is taken. |
Perform the following procedure to run shell commands on a web SSH console for a service.
The Audit tab lists the action or actions that are performed on an application as displayed in the following figure. To view the detailed course of the action, click action.
Brownfield applications are created to manage existing VMs that are currently not managed by Calm. To create a brownfield application, Calm must communicate with the VMs that are not managed by Calm. After the application is created, the application runs like any other Calm application.
The following are the key points you must consider before you create a brownfield application.
In Calm, the update configuration is stored as a single element per service and applicable from the first VM instance. When you select multiple VMs with different configurations in a service and update the configuration, the update configuration applies to the first VM instance. The same configuration is then followed for all the remaining VM instances.
Let’s say you selected VM1 and VM2 for the service with a RAM of 4 GB and 8 GB respectively. If you define the update configuration to increase the RAM by 1 GB and run the action, the update applies to VM1 to increase the RAM to 5 GB. The same configuration is then followed for VM2 to change the RAM from 8 GB to 5 GB causing undesirable results in both the update configuration and quota utilization checks.
For information on how to create a brownfield application, see Creating Brownfield Application.
Brownfield applications are created to manage existing VMs that are currently not managed by Calm. Perform the following procedure to create brownfield application.
You must launch the configured brownfield applications to be managed by Calm.
Nutanix Guest Tools (NGT) is a software bundle that you can install in a guest
virtual machine (Microsoft Windows or Linux) to enable the advanced functionality provided
by Nutanix. For more information about NGT, see the
Prism Central
Guide
. Perform the following procedure to install NGT services on your
VM. NGT services are only applicable for AHV clusters.
After you install NGT service on a VM, you can either enable or disable VSS and SSR
services by using the
Manage NGT Apps
play button. To know more VSS
and SSR services, see the
Nutanix Guest Tools
section in the
Prism Web Console Guide
.
If you do not want to recover application details after the host VM becomes unavailable, uninstall the NGT application. Perform the following procedure to uninstall NGT services for your application.
A snapshot preserves the state and data of an application virtual machine at a specific point in time. You can create a snapshot of a virtual machine at a particular point in time and restore from the snapshot to recreate the application from that time.
On a Nutanix platform, you can use the snapshot and restore feature in both single-VM and multi-VM applications. On VMware, AWS, and Azure platforms, you can use the snapshot and restore feature only in a single-VM application.
While the snapshot and restore feature is available by default for VMware, AWS, and Azure platforms, you need to add the snapshot/restore configuration to the single-VM or multi-VM blueprint on Nutanix. Adding the configuration to the blueprint generates separate profile actions for snapshot and restore. For more information, see Configuring Single-VM Blueprints with Nutanix for Snapshots and Configuring Multi-VM Blueprints on Nutanix for Snapshots.
Snapshot and restore of an application VM that runs on a Nutanix platform involves the following configurations and actions:
As a project admin, you define snapshot policies in a project. Snapshot policies help you define rules for taking snapshots of application VM. The policy determines the overall intent of the snapshot creation process and the duration of managing those snapshots. You can configure your snapshot policy to manage your snapshots on a local cluster, on a remote cluster, or both.
Remote snapshots are particularly useful when your Prism Central has a computer-intensive cluster managing workloads and a storage-intensive cluster managing your data, snapshots, and so on.
For more information about creating a snapshot policy, see Creating a Snapshot Policy.
You define snapshot and restore configuration for each service in a blueprint. You can configure the service to create snapshots locally or on a remote cluster. In case your multi-VM blueprint has multiple replicas of the service, you can configure the action to take snapshot only for the first replica or the entire replica set.
The snapshot/restore definition of a service generates the snapshot configuration and its corresponding restore configuration. You can use these configurations to modify your snapshot and restore setup. The snapshot/restore definition also generates application profile actions that you can use to create or restore snapshots. You can add more tasks and actions as part of your snapshot and restore to define actions you might want to take on your services. For example, shutting down the application and the VM before taking the snapshot or restarting the VM or services before a restore.
For more information on snapshot and restore configuration, see Blueprint Configuration for Snapshots and Restore.
You associate a policy defined in a project when you launch the application. Depending on the snapshot configuration that you provide in the blueprint, you can select the policy and the cluster in which the snapshot will be stored.
If you defined remote snapshot in the blueprint, then you can view all the policies that allow you to take a remote snapshot. You can select a policy and the corresponding clusters before you launch the application.
For more information, see Launching a Blueprint.
Like other profile actions, the profile actions for snapshot and restore appear on the Manage tab of an application. The snapshots created are listed under the Recovery Points tab of the application. When you create multiple snapshots as part of one action, they appear as a snapshot group. You can expand the group to view the snapshots, their corresponding services, and location. For more information, see Creating Snapshots on a Nutanix Platform.
Restore follows the same configuration that the snapshot has. To restore, you specify the variables and select applicable recovery points depending on the VM. For more information, see Restoring VM Details from Snapshots on a Nutanix Platform.
Perform the following procedure to create application-consistent or crash-consistent snapshots. Application-consistent or crash-consistent snapshots are used to capture and recover all of the VM and application level details. Application-consistent snapshots can also capture all data stored in the memory and transactions in process.
snapshot-@@{calm_array_index}@@-@@{calm_time}@@
.
Nutanix Guest
Tools
section in the
Prism Web
Console Guide
.
You can restore the VM details of an application after the host VM becomes unavailable. Perform the following procedure to restore an application from the snapshots.
A snapshot preserves the state and data of a virtual machine at a specific point in
time. You can create a snapshot of a virtual machine at any time and revert to that snapshot
to recreate the application from that time. For more information, see the
VMware Documentation
. Perform the following procedure
to create a snapshot.
You can restore the VM details of an application after the host VM becomes unavailable. Perform the following procedure to restore an application VM details from a snapshot.
You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved. For more information, see AWS Documentation . Perform the following procedure to create a snapshot on a AWS platform.
You can restore the VM details of an application after the host VM becomes unavailable. Perform the following procedure to restore an application VM details from a snapshot. Ensure that you have captured the snapshots for the application VM.
Creating a snapshot of an application virtual machine on the Azure platform creates a point-in-time copy of your operating system and data disks associated with the VM. The snapshots you create can then be used to create a new VM with the same configurations as the source application VM.
You can restore the VM details of an application after the host VM becomes unavailable. The VM snapshot that you create on an Azure platform consists of the snapshot of operating system and data disks. When you restore the VM details, a new VM is created using the snapshots of the disks.
Perform the following procedure to delete the snapshots created for the VM under an application.
The update configuration feature allows you to update the virtual machine of a running application to a higher or lower configuration. Using this feature, you can modify VM specifications such as the vCPU, memory, disks, networking, or categories (tags) of a running production application with minimal downtime.
The process to update VM configuration of a running application on Nutanix is different from other providers.
To update configurations of a running single-VM or multi-VM applications on Nutanix, you need to perform the following steps:
For more information, see Update Configuration for VM.
You can update VM specifications from the Manage tab of the application. While launching the update, you can define the variables, verify the updates defined for the service by looking at the original value and updated value. You can also modify the values if the component is editable. You can also check the cost difference at the top of the page before applying the changes. For more information, see Updating the VM Configuration of an Application on Nutanix.
The option to update VM configuration of a running single-VM application on VMware, AWS, or Azure is available by default on the Overview tab of the application. The attributes that you can update depends on the provider account you selected for the application.
You can run the update configuration to modify the VM specifications, such as the vCPU, memory, disks, networking, or categories of a single-VM or multi-VM application.
You can click the delete icon to remove the existing disk.
You can click the delete icon to remove any new disk if your blueprint developer has enabled it in the application blueprint.
You can run the update configuration to modify parameters, such as VM configurations, controllers, disks, and network adapters of a single-VM application running on a VMware platform.
You can run the update configuration to modify parameters, such as instance type, IAM role, security groups, tags, and storage of a single-VM application running on an AWS platform.
You can run the update configuration to modify parameters, such as VM configurations, controllers, disks, or network adapters of a single-VM application running on an AWS platform.
You can add or update the credential, custom actions, post delete tasks, or package uninstall tasks from the Overview tab of a single-VM application.
An image is a template for creating new instance or VM. Calm allows you to create images from an existing single-VM or multi-VM application running on a Nutanix platform. Perform the following procedure to create an image from an existing application.
Perform the following procedure to clone an application. The cloned application has the same VM configuration as the source application from which it is cloned.
You can delete the unwanted applications from the Applications tab.
You can define and create custom or user-level actions while configuring a blueprint. Perform the following procedure to run the user-level actions.
System-level actions are pre-defined actions that you can run on an application. Perform the following procedure to execute the system-level actions.
Scheduler allows you to schedule application action and runbook executions. You can schedule recurring jobs and one-time jobs for critical operations throughout the application life cycle.
You can schedule any user-defined application actions, create or restore application snapshots (only AHV), or any pre-defined system actions such as Start, Stop, Restart, Delete, and Soft Delete. For example, you can schedule a Stop action and a Start action on a single-VM Calm application to run at a particular date and time.
Scheduler supports two types of entities.
Scheduler jobs have a role ownership. A user can modify the job that you created if the user has access to the entity and Allow Collaboration is enabled in the associated project. For example, if you create a scheduler job for an application action as a developer, a consumer that has access to the same application can modify the job. If Allow Collaboration is disabled in the project, then only the creator of the scheduler job can modify the job. For information on the role required to schedule application action and runbook execution, see Role-Based Access Control in Calm.
Create a scheduler job to perform an application action or runbook execution.
You can view or update a scheduler job on the Scheduler tab of the Policies page.
Scheduler jobs have a role ownership. You can update a job that a different user has created only when you have access to the entity and collaboration is allowed in the associated project.
You can also click View Logs for any executed job to go to the Audit tab and view the logs.
You can delete a scheduler job on the Scheduler tab of the Policies page.
An approval policy adds a level of governance to determine which application deployment requests or actions require approvals before they are initiated. You can use approval policies to manage your infrastructure resources, their associated costs, and compliance more effectively.
For example, consider a marketplace item that consumes a significant part of your available resources. You can use an approval policy to enable your IT administrator to review all deployment requests for that marketplace item and ensure that all requests are justified.
You can also use approval policies to enable a project administrator to review all the changes that are done as part of orchestration to a critical application instance.
As a Prism Central Admin or Project Admin, you can create approval policies for runbook executions, application launch, and application day-2 operations (system-defined or user-defined actions).
Each approval policy is a defined set of conditions that you apply to specific entities in Calm. An approval request is generated when an associated event meets all the conditions defined in the policy.
You can configure approval policies for specific events with different set of conditions. For example, to configure an approval policy for a marketplace item, you can use the following values:
The following table lists the different conditions that you can define for different events in approval policies. To search for a provider-specific attribute, type the provider name in the Attribute field.
Entity Type and Action | Provider | Attribute | Operator |
---|---|---|---|
Entity Type: Runbook Action: Execute |
All | Runbook Name | Equals, Contains, Like |
Task Name | Equals, Contains, Like | ||
Endpoint Name | Equals, Contains, Like | ||
Entity Type: Application Action: Launch |
All | Substrate Type | Equals, Contains, Like |
Blueprint Name | Equals, Contains, Like | ||
Application Name | Equals, Contains, Like | ||
Application Profile Name | Equals, Contains, Like | ||
Estimated Application Profile Cost | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
Account Name | Equals, Contains, Like | ||
VM Name | Equals, Contains, Like | ||
Service Name | Equals, Contains, Like | ||
App Replicas Count | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
OS Type | Equals, Contains, Like | ||
Azure Specific Attributes | Azure Tag | Equals, Contains, Like | |
Azure Location | Equals, Contains, Like | ||
Azure Instance Name | Equals, Contains, Like | ||
Azure Resource Group | Equals, Contains, Like | ||
Azure Availability Zone | Equals, Contains, Like | ||
Azure Availability Set | Equals, Contains, Like | ||
Azure Hardware Profile | Equals, Contains, Like | ||
Azure Data Disk Name | Equals, Contains, Like | ||
Azure Data Disk Type | Equals, Contains, Like | ||
Azure Data Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
Azure Network Profile Subnet | Equals, Contains, Like | ||
Azure Network Profile NIC Name | Equals, Contains, Like | ||
Azure Network Profile Virtual Network | Equals, Contains, Like | ||
Azure Network Profile Network Security Group | Equals, Contains, Like | ||
VMware Specific Attributes | VMware Instance Name | Equals, Contains, Like | |
VMware Datastore Cluster | Equals, Contains, Like | ||
VMware Datastore | Equals, Contains, Like | ||
VMware Cluster | Equals, Contains, Like | ||
VMware Host | Equals, Contains, Like | ||
VMware Sockets | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
VMware Cores Per Socket | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
VMware Memory | Equals, Contains, Like | ||
VMware Adapter Type | Equals, Contains, Like | ||
VMware Network | Equals, Contains, Like | ||
VMware Disk Type | Equals, Contains, Like | ||
VMware Tag | Equals, Contains, Like | ||
VMware Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
VMware Template Name | Equals, Contains, Like | ||
AHV Specific Attributes | AHV vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | |
AHV Cores Per vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Memory | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Category | Equals, Contains, Like | ||
AHV VPC Name | Equals, Contains, Like | ||
AHV vLAN Name | Equals, Contains, Like | ||
AHV Disk Type | Equals, Contains, Like | ||
AHV Disk Image Name | Equals, Contains, Like | ||
AHV Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Boot Configuration Type | Equals, Contains, Like | ||
AWS Specific Attributes | AWS Instance Type | Equals, Contains, Like | |
AWS Region | Equals, Contains, Like | ||
AWS Tag | Equals, Contains, Like | ||
AWS Root Volume Type | Equals, Contains, Like | ||
AWS Data Volume Type | Equals, Contains, Like | ||
AWS Root Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AWS Data Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AWS IAM Role | Equals, Contains, Like | ||
AWS VPC ID | Equals, Contains, Like | ||
AWS Security Group ID | Equals, Contains, Like | ||
AWS Subnet ID | Equals, Contains, Like | ||
AWS Machine Image ID | Equals, Contains, Like | ||
GCP Specific Attributes | GCP Instance Name | Equals, Contains, Like | |
GCP Machine Type | Equals, Contains, Like | ||
GCP Zone | Equals, Contains, Like | ||
GCP Boot Disk Storage Type | Equals, Contains, Like | ||
GCP Boot Disk Source Image | Equals, Contains, Like | ||
GCP Labels | Equals, Contains, Like | ||
Entity Type: Application Action: Day 2 Operation |
All | Application Name | Equals, Contains, Like |
Application Profile Cost | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
App Replicas Count | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
Action Name | Equals, Contains, Like | ||
AHV Specific Attributes (for Update Config Only) | AHV vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | |
AHV Cores Per vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Memory | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Category | Equals, Contains, Like | ||
AHV vLAN Name | Equals, Contains, Like | ||
AHV VPC Name | Equals, Contains, Like | ||
AHV Device Type | Equals, Contains, Like | ||
AHV Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV (for Snapshots) | AHV Snapshot Location | Equals, Contains, Like | |
AHV Snapshot Replica | Equals, Contains, Like | ||
AHV Snapshot Name | Equals, Contains, Like |
Day 2 operations are combination of multiple actions. Ensure that you use the supported attributes for different day 2 operations to enforce the policy appropriately. For example, when you configure a policy with scale in or scale out task, the supported attributes can be App Replicas Count and Application Profile Cost.
The following table provides the day 2 operation with the supported attributes.
Day 2 Operation | Supported Attributes |
---|---|
AHV Update Config | Estimated Application Profile Cost, AHV vCPU, AHV Cores Per vCPU, AHV Memory, AHV Category, AHV VPC Name, AHV vLAN Name, AHV Disk Size, and AHV Device Type |
Scale-in or Scale-out task | App Replicas Count and Application Profile Cost |
AHV Snapshot Config | AHV Snapshot Name, AHV Snapshot Replica, and AHV Snapshot Location |
Supported Attributes for All Day 2 Operations | Application Name and Action Name |
For system actions, you must specify the name in the action_<system action> format. The following table lists the system action names supported for approval policies.
System Action | Names |
---|---|
Start | action_start |
Restart | action_restart |
Stop | action_stop |
Delete | action_delete |
Soft Delete | action_soft_delete |
Snapshot Create | action_snapshot_create |
Restore | action_restore |
Update | action_update |
To quickly create a new policy, you can clone an existing policy and edit its basic information, conditions, and approvers.
You cannot clone an approval policy that is in the Draft state.
You can enable a policy to enforce the policy on an event that matches the entity, action, and conditions of the policy or disable the policy to skip policy enforcement.
As a Prism Central Administrator or Project Administrator, you can delete an approval policy if the policy is no longer required for the event.
After you have created a policy, you can view the details of the policy on the policy details page.
An an approver, you can view a list of all pending approval policies on the Approval Requests tab and can either approve or reject the request with a reason.
When you approve a request, the event moves to the next task. When you reject a request, the requester is notified about the rejection of the request. If you are the requester, you can view your pending requests and the status of your reviewed request on the My Requests tab.
Library allows you to save user-defined tasks (scripts) and variables that you can use persistently for other application blueprints. You do not have to define the same tasks and variables for each blueprint.
You can also share tasks and variables listed as part of library across different projects. You can also customise an existing task or variable.
The Library tab lists all the published user-defined tasks and the created variable types to be used across multiple blueprints.
You create custom variable types for added flexibility and utility. Beyond just string and integer data types, you can create more data types such as Date/Time, list, and multi-line string. You can define list values as a static list of values or can attach a script (eScript or HTTP task) to retrieve the values dynamically at runtime.
While creating a custom variable type, you associate a project to the variable type. You can also share the variable type with multiple other projects using the "Share" option on the same page.
Create variable types so that you can use the variables during blueprint creation. You can also share the created variable types across multiple projects.
You can create tasks while configuring a blueprint and publish these tasks to the library. Calm allows you to import these published tasks while configuring other blueprints across multiple projects.
To refer to the video about task library, click here.
Add a task to a project so that you can use the task while configuring blueprints for the selected project.
Delete unwanted tasks from the Library. The deleted tasks can no longer be used in any project while configuring a blueprint.
A runbook is a framework to automate routine tasks and procedures that pan across multiple applications without the involvement of a blueprint or an application.
A runbook is a collection of tasks that you can define to run sequentially at different endpoints. For more information about endpoints, see Endpoints Overview.
You can define the following types of tasks in a runbook.
Task | Description |
---|---|
Execute | To run Shell, PowerShell, and eScript (custom python) scripts. |
Set Variable | To run a script and create variables. |
Delay | To set a delay interval between two tasks or actions. |
HTTP | To perform REST calls to an HTTP endpoint. |
While Loop | To iterate over multiple tasks until the defined condition is met. |
Decision | To define different flows or paths based on the exit condition. |
VM Power On | To power on the VMs that are present in the VM endpoint type. |
VM Power Off | To power off the VMs present in the VM endpoint type. |
VM Restart | To restart the VMs present in the VM endpoint type. |
For more information about creating a runbook, see Creating a Runbook.
To share an active runbook across different projects, you can submit the runbook to be published as a Marketplace item. When the runbook is available at the marketplace, members from different projects to which the runbook is assigned can view and execute it.
When you submit a runbook for publishing, your administrator approves and publishes the runbook at the Marketplace. While publishing, your administrator selects the projects that can view and execute the runbook. You can publish runbooks with or without endpoints and with or without secret values (credential passwords or keys and secret variables). For more information, see Submitting a Runbook for Publishing.
You can select endpoints with virtual machines as the target type to execute power operation tasks such as power off, power on, or restart. Executing these tasks on Virtual machines is particularly helpful in cases where you need to run a set of scripts on multiple VMs and then restart the VMs. For example, when you want to upgrade a software on your VMs. For more information about creating an endpoint, see Creating an Endpoint.
You cannot modify the runbook after it is published. You can either execute the runbook or clone the runbook within your project from the marketplace.
A runbook is a collection of tasks that you can define to run sequentially at different endpoints.
Calm uses the default endpoint only when you do not configure any endpoint at the task level.
The task is further subdivided into True and False condition. You must repeat the steps to add the tasks and configure the task type.
Create a runbook with the Execute task to run Shell, PowerShell, and eScript (custom python) scripts. Create a runbook with the Set Variable task to run a script and create variables.
Create a runbook with the Delay task to set a delay interval between two tasks or actions.
Create a runbook with the HTTP task to perform REST calls to an HTTP endpoint.
Create a runbook with the While Loop task to iterate over multiple tasks until the defined condition is met.
Submit a runbook for publishing so that your admin can approve and publish it at the marketplace. Members from the associated projects can view and execute the runbooks that are published at the marketplace.
You can execute a runbook to run the tasks sequentially on an endpoint.
Perform the following procedure to delete a runbook.
Endpoints are the target resources where the tasks defined in a runbook or blueprint are run.
The endpoints are collection of IP addresses or VMs. The collection of VMs can be a static selection or can be dynamic with filter rules applied.
You have the following types of endpoints.
To know how to create an endpoint, see Creating an Endpoint.
For Windows or Linux endpoint type, you can select virtual machines as the target type. Selecting VMs as target type is useful in cases where you run a set of scripts on multiple VMs and then restart the VMs. For example, you can select VMs as target type to upgrade a software on your VMs.
After you select VMs as the target type, you must select the provider account to list all the associated VMs. You can filter the list of VMs. You can either select the VMs manually or enable the option to automatically select the filtered VMs for your endpoint.
Create an endpoint to run the tasks that you define in a runbook or blueprint.
Perform the following procedure to delete a endpoint.
You can take a backup of the Calm data to a specified location on your machine and restore the data to a new Prism Central. You back up the following data:
You can take a backup of the entire Calm data to a specified location on your machine and restore the data to a new Prism Central.
docker exec -it nucalm bash
calmdata
binary is available in the
/home/calm/bin
folder.
# cd /home/calm/bin
# ./calmdata backup --dump-folder <folder>
calmdata
tar file dump.
sudo kubectl -s 0.0.0.0:8070 -n ntnx-base get pods
cd ~/cluster/bin/
vi backup_iam.sh
backup_iam.sh
file.
sh backup_iam.sh
/usr/local/nutanix/iam-backup
.
docker cp <nucalm_container_id>:<backup_tar_file_path> <PC_path_to_copy>
docker cp f4af4798e47d:/backup/3.5.0_backup.tar /home/nutanix/local_backup/
scp
command to copy the calmdata backup tar file from
the Prism Central file system to the new Prism Central.
scp
command to copy the
IAM backup zipped file from the Prism Central file system to the following
location on the new Prism Central.
/usr/local/nutanix/iam-backup
docker cp <back_up_tar_file_path> <nucalm_container_id>:<restore_path_dump_folder>
# ./calmdata restore --dump-folder <folder>
docker exec -ti nucalm bash
activate;
code ;
python scripts/update_policy_vm_host_data.pyc
sudo systemctl stop policy-container
sudo systemctl stop policy-epsilon-container
sudo systemctl stop chronos-container
docker rm -f policy
docker rm -f policy-epsilon
docker rm -f chronos
sudo systemctl start policy-container
sudo systemctl start policy-epsilon-container
sudo systemctl start chronos-container
cd ~/cluster/bin/
vi restore_iam_from_file.sh
restore_iam_from_file.sh
file.
sh restore_iam_from_file.sh
Use the following flag options for your Calm data backup:
Options | Description |
---|---|
dump-folder |
The folder where you want to place the backup data. The default folder is located
at
/tmp/default
.
Note:
Create this folder before taking the
backup. When you restore, the restore binary must be present at this
location.
Example:
|
max-threads |
The maximum number of threads to use to take the backup. The default value is
5.
Example:
|
fetch-limit |
The maximum number of entries to fetch in batches of 100 per call. The default
and the maximum value is 100. Decreasing the value of
fetch-limit
increases the time taken to back up Calm
data.
Example:
|
idf-timeout |
The timeout for IDF (database). Increase the value of IDF timeout if you
encounter backup failure due to timeout. The default value is
60.
Example:
|
backup-deleted-entities |
The flag to include deleted entities in the backup. The backup does not include
deleted entities when the value is False. The default value is
True.
Example:
|
When you enable the policy engine for your Calm instance, Calm creates and deploys a new VM for the policy engine in your Prism Central network. After the policy engine VM deployment, you can anytime create a backup of your policy engine database. You can use the backup to restore the policy engine to the earlier state on your existing policy engine VM or on a new policy engine VM.
You must run the backup and restore commands from your Prism Central instance.
ssh nutanix@<policy_vm_ip>
/home/nutanix/scripts/backup.sh
<policy_vm_ip>
is the IP address of the policy
engine VM.
/home/nutanix/data/backups/
.
scp
command and then to the new policy
engine VM.
ssh nutanix@<policy_vm_ip> /home/nutanix/scripts/restore.sh
–-list
ssh nutanix@<policy_vm_ip> /home/nutanix/scripts/restore.sh
-f=<backup_name>
<policy_vm_ip>
is the IP address of the policy
engine VM and
<backup_name>
is the local backup file
available on the policy engine VM.
Calm task library public repository contains scripts for installing and uninstalling different services. To access the repository, click here.
The following sections provide the sample scripts of Cloud-init and SysPrep to configure the static IP address range for non-managed AHV network.
#cloud-config
cloud_config_modules:
- resolv_conf
- runcmd
write_files:
- path: /etc/sysconfig/network-scripts/ifcfg-eth0
content: |
IPADDR=10.136.103.226
NETMASK=255.255.255.0
GATEWAY=10.136.103.1
BOOTPROTO=none
ONBOOT=yes
DEVICE=eth0
runcmd:
- [ifdown, eth0]
- [ifup, eth0]
manage_resolv_conf: true
resolv_conf:
nameservers: ['8.8.4.4', '8.8.8.8']
searchdomains:
- foo.example.com
- bar.example.com
domain: example.com
options:
rotate: true
timeout: 1
<?xml version="1.0" encoding="UTF-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<ComputerName>Windows2016</ComputerName>
<RegisteredOrganization>Nutanix</RegisteredOrganization>
<RegisteredOwner>Acropolis</RegisteredOwner>
<TimeZone>UTC</TimeZone>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<Identification>
<Credentials>
<Domain>contoso.com</Domain>
<Password>secret</Password>
<Username>Administrator</Username>
</Credentials>
<JoinDomain>contoso.com</JoinDomain>
<UnsecureJoin>false</UnsecureJoin>
</Identification>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-TCPIP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<Interfaces>
<Interface wcm:action="add">
<Identifier>Ethernet</Identifier>
<Ipv4Settings>
<DhcpEnabled>false</DhcpEnabled>
<RouterDiscoveryEnabled>true</RouterDiscoveryEnabled>
<Metric>30</Metric>
</Ipv4Settings>
<UnicastIpAddresses>
<IpAddress wcm:action="add" wcm:keyValue="1">10.0.0.2/24</IpAddress>
</UnicastIpAddresses>
<Routes>
<Route wcm:action="add">
<Identifier>10</Identifier>
<Metric>20</Metric>
<NextHopAddress>10.0.0.1</NextHopAddress>
<Prefix>0.0.0.0/0</Prefix>
</Route>
</Routes>
</Interface>
</Interfaces>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-DNS-Client" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<UseDomainNameDevolution>true</UseDomainNameDevolution>
<DNSDomain>contoso.com</DNSDomain>
<Interfaces>
<Interface wcm:action="add">
<Identifier>Ethernet</Identifier>
<DNSDomain>contoso.com</DNSDomain>
<DNSServerSearchOrder>
<IpAddress wcm:action="add" wcm:keyValue="1">10.0.0.254</IpAddress>
</DNSServerSearchOrder>
<EnableAdapterDomainNameRegistration>true</EnableAdapterDomainNameRegistration>
<DisableDynamicUpdate>true</DisableDynamicUpdate>
</Interface>
</Interfaces>
</component>
<component xmlns="" name="Microsoft-Windows-TerminalServices-LocalSessionManager" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<fDenyTSConnections>false</fDenyTSConnections>
</component>
<component xmlns="" name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<UserAuthentication>0</UserAuthentication>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Networking-MPSSVC-Svc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<FirewallGroups>
<FirewallGroup wcm:action="add" wcm:keyValue="RemoteDesktop">
<Active>true</Active>
<Profile>all</Profile>
<Group>@FirewallAPI.dll,-28752</Group>
</FirewallGroup>
</FirewallGroups>
</component>
</settings>
<settings pass="oobeSystem">
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<UserAccounts>
<AdministratorPassword>
<Value>secret</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
</UserAccounts>
<AutoLogon>
<Password>
<Value>secret</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
<Username>Administrator</Username>
</AutoLogon>
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c netsh firewall add portopening TCP 5985 "Port 5985"</CommandLine>
<Description>Win RM port open</Description>
<Order>1</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
</FirstLogonCommands>
<OOBE>
<HideEULAPage>true</HideEULAPage>
<SkipMachineOOBE>true</SkipMachineOOBE>
</OOBE>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<InputLocale>en-US</InputLocale>
<SystemLocale>en-US</SystemLocale>
<UILanguageFallback>en-us</UILanguageFallback>
<UILanguage>en-US</UILanguage>
<UserLocale>en-US</UserLocale>
</component>
</settings>
</unattend>
Calm supports the following eScript modules.
Module | Module supported as |
---|---|
datetime | _datetime |
re | re |
difflib | difflib |
base64 | base64 |
pprint | pprint |
pformat | pformat |
simplejson | json |
ujson | ujson |
yaml | yaml |
Uuid | uuid |
requests | requests |
boto3 | boto3 |
azure | azure |
kubernetes | kubernetes |
The following example displays the usage of boto3 module.
import boto3
ec2 = boto3.client('ec2', aws_access_key_id='{}', aws_secret_access_key='{}', region_name='us-east-1')
print ec2.describe_regions()
The following example displays the usage of Azure module.
# subscription_id macro contains your Azure Subscription ID
# client_id macro contains your Client ID
# tenant macro contains you Tenant ID
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
credentials = ServicePrincipalCredentials(
client_id=@@{client_id}@@,
secret='secret',
tenant=@@{tenant}@@
)
client = ResourceManagementClient(credentials, @@{subscription_id}@@)
for item in client.resource_groups.list():
print(item)
The following example displays the usage of Kubernetes module.
from kubernetes import client as k8client
aToken="eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJl
cm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWN
jb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNl
YWNjb3VudC9zZWNyZXQubmFtZSI6InNhcmF0aC10b2tlbi1ubWo1cSIsImt1YmVybm
V0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJzYXJhdG
giLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQ
iOiIzODM1Zjk5MC0zZGJhLTExZWEtODgwNy01MDZiOGQzYjFhYjIiLCJzdWIiOiJzeXN0ZW06c2Vyd
mljZWFjY291bnQ6ZGVmYXVsdDpzYXJhdGgifQ.dLJCdlOGktRsXfxDItBdbYxDYJtnFS9pptQaKr
JS1QfWAiT93l_iPExZZ_7JGQ2t7glpe-DNEwfjKiqUkDKmuHZSxN9fV6PHjTc8CGOn1q4LV7
tFFkh4HNi-JjhLPkRRQUM6_y5qQSrx9asDEGVLGsoHjuMLhELi4Ghq1EOgcRxPCTQD6lq_C203Dap
PESdqPl7JsmIVBCkFUT4A8A4sseiOqq9ogX-QKvAwoI7yq97BMJLX7q868cNBRsbFzct1tS-CEx-RCPM95
qAzdLNUOrIszVVgSd7jLxIg_tqUH_yEj4T0cePsbLhrCBPRt6bHFCyg3RkIKRoIN2YBq0wPWw"
configuration=k8client.Configuration()
configuration.host="https://10.46.4.213:6443"
configuration.verify_ssl=False
configuration.debug=True
configuration.api_key={"authorization":"Bearer "+ aToken}
k8client.Configuration.set_default(configuration)
v1=k8client.CoreV1Api()
nodes=v1.list_node(watch=False)
print nodes.items[0].metadata.name
Calm supports the following eScript functions.
The API exposes REST interface as a set of objects. This action is implemented using python requests module.
urlreq(url, verb='GET', auth=None, c=None, user=None, passwd=None, params=None,
headers=None, timeout=None, send_form_encoded_data=True, allow_redirects=True,
cookies=None, verify=True, proxies=None)
requests.Response object is returned.
Arguments | Description |
---|---|
url | string, url to request |
verb |
string, verb is GET by default. POST, HEAD, PUT, PATCH, and DELETE are other valid entries. |
auth |
string (optional), BASIC and DIGEST are the valid entries.
For authentication purposes, the order is as follows.
|
user | string (optional), username used for authentication. |
passwd | string (optional), password used for authentication. |
params | dict (optional), if verb is GET, HEAD or DELETE, parameters are sent in the query string for the request otherwise they are sent in the body of the request. |
headers | dict (optional), Dictionary of HTTP headers needs to be send along with the request. |
timeout | integer (optional), you can configure requests to stop waiting for a response after a given number of seconds with the timeout parameter. timeout only elects the connection process itself, not the downloading of the response body. |
send_form_encoded_data | boolean (optional), = True by default. If False, parameters dict is first dumped using simplejson.dumps() and then passed as a string. |
allow_redirects |
boolean (optional), = True by default. Specifies whether redirects should be allowed or not. |
cookies | dict (optional), cookies dict to be sent along with the request. |
verify | boolean (optional), = True by default. Specifies whether SSL certificates should be verified or not. |
proxies | dict (optional), Dictionary mapping protocol to the URL of the proxy |
Rules for authentication in the order of priority.
If the above two criteria does not match, username and password are authenticated by using the credential attached to the task.
For example
params = {'limit': 1}
headers = {'content-type': 'application/octet-stream'}
r = urlreq(url, verb="GET", auth="BASIC", c='somecred', params=params, headers=headers)
r = urlreq(url, verb="POST", auth="BASIC", user="user", passwd="pass", params=params)
The exit function is an alias for sys.exit of python standard library.
exit(exitcode)
For example
exit(0)
The sleep function is an alias for time.sleep.
sleep(num_of_secs)
For example
sleep(10)
The _construct_random_password API generates a random password and returns it.
_construct_random_password(lower, upper=None, numCaps=0, numLetters=0,
numDigits=0, numPuncs=0, startwith=None, caps=None, letters=None,
digits=None, puncs=None)
Returns: String
Argument | Description |
---|---|
lower | integer, minimum number of characters in the password. |
upper | integer (optional), maximum number of characters in the password. If upper is not defined, then the password returned will always be as per lower, else the length can vary between lower and upper (both included). |
numCaps |
integer (optional), minimum number of capital letters that must be there in password. |
numLetters |
integer (optional), minimum number of letters that must be there in password. |
numDigits | integer (optional), minimum number of digits that must be there in password. |
numPuncs |
integer (optional), minimum number of punctuation alphabets that must be there in password. |
startwith |
string (optional), password returned starts with one of the characters provided in startwith string. |
caps | string (optional), default = 'A-Z'. This can be overridden. |
letters | string (optional), default = 'a-zA-Z'. This can be overridden. |
digits | string (optional), default = '0-9'. This can be overridden. |
puncs | string (optional), default = '!@#$%^&'. This can be overridden. |
The _is_bad_password function checks whether the password is correct or not.
_is_bad_password(password, reserved, dictionary=True, numCaps=0, numPuncs=0, \
numDigits=0, minLen=5)
For example
_is_bad_password("Abcd@123")
The _randomchoose function is used to get a random character from a string.
_randomchoose(string)
For example
_randomchoose("adsadrer")
The _shuffle function is used to shuffle the sequence.
_shuffle(sequence)
For example
_shuffle(a)
The get_sql_handle function enables you to remotely connect and manage SQL Servers. It is implemented by using python pymssql module.
get_sql_handle(server, username, password, database='', timeout=0, login_timeout=60, charset='UTF-8', as_dict=False, host='', appname=None, port='1433', conn_properties=None, autocommit=False, tds_version=None)
Returns pymssql.Connection object
Argument | Description |
---|---|
server (str) | database host |
user (str) | database user to connect as |
password (str) |
user’s password |
database (str) |
The database to initialize the connection with. By default SQL Server selects the database which is set as default for specific user |
timeout (int) | query timeout in seconds, default 0 (no timeout) |
login_timeout (int) | timeout for connection and login in seconds, default is 60 seconds |
charset (str) | character set with which to connect to the database |
For example
username="dbuser"
password="myP@ssworD"
server="10.10.10.10"
port="1433"
cnxn = get_sql_handle(server, username, password, port=port, autocommit=True)
cursor = cnxn.cursor()
# List all databases
cursor.execute("""
SELECT Name from sys.Databases;
""")
for row in cursor:
print row[0]
cnxn.close()
To refer to the video about supported eScripts, click here.
The following script is an EScript sample script.
#script
account_name = "@@{ACCOUNT_NAME}@@"
aviatrix_ip = "@@{address}@@"
new_test_password = "@@{NEW_TEST_PASSWORD}@@"
vpc_name = "Test"
api_url = 'https://{0}/v1/api'.format(aviatrix_ip)
#print api_url
def setconfig(api_url, payload):
r = urlreq(api_url, verb='POST', auth="BASIC", user='admin', passwd='passwd', params=payload, verify=False)
resp = json.loads(r.content)
if resp['return']:
return resp
else:
print "Post request failed", r.content
exit(1)
print "Get the session ID for making API operations"
payload = {'action': 'login', 'username': 'admin', 'password': new_test_password}
api_url1 = api_url + "?action=login&username=admin&password="+ new_aviatrix_password
cid = setconfig(api_url=api_url1, payload=payload)
cid = cid['CID']
print cid
print "Delete the gateway"
payload = {'CID': cid,
'action': 'delete_container',
'account_name': account_name,
'cloud_type': 1,
'gw_name': vpc_name
}
api_url1 = api_url + "?CID="+cid+"&action=delete_container&account_name="+account_name+"&cloud_type=1&gw_name="+vpc_name
print setconfig(api_url=api_url1,payload=payload)
print "Delete the aws account"
payload = {'CID': cid,
'action': 'delete_account_profile',
'account_name': account_name
}
api_url1 = api_url + "?CID="+cid+"&action=delete_account_profile&account_name="+account_name
print setconfig(api_url=api_url1,payload=payload)
The following script is a jwt usage sample script.
#script
jwt = '@@{calm_jwt}@@'
payload = {}
api_url = 'https://localhost:9440/api/nutanix/v3/apps/list'
headers = {'Content-Type': 'application/json', 'Accept':'application/json', 'Authorization': 'Bearer {}'.format(jwt)}
r = urlreq(api_url, verb='POST', params=json.dumps(payload), headers=headers, verify=False)
if r.ok:
resp = json.loads(r.content)
print resp
exit(0)
else:
print "Post request failed", r.content
exit(1)
The following script is a powershell sample script.
Install-PackageProvider -Name NuGet -Force
Install-Module DockerMsftProvider -Force
Install-Package Docker -ProviderName DockerMsftProvider -Force
The following script is a guest customization sample script for the Azure service.
<AutoLogon>
<Password>
<Value>@@{user.secret}@@</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
<Username>@@{user.username}@@</Username>
</AutoLogon>
The following script is a guest customization sample script for the Azure service.
<FirstLogonCommands>
<SynchronousCommand>
<CommandLine>cmd.exe /c powershell -Command get-host</CommandLine>
<Order>1</Order>
</SynchronousCommand>
</FirstLogonCommands>
The following script is a guest customization sample script for the VMware service.
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set winrm/config/service/auth @{Basic="true"}
powershell -Command "enable-psremoting -Force"
powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"
The following script is a guest customization sample script for the GCP service.
#! /bin/bash\napt-get update\napt-get install -y apache2\ncat <<EOF > /var/www/html/index.html\n<html><body><h1>Hello World</h1>\n<p>This page was created from a simple startup script!</p>\n</body></html>\nEOF
Calm blueprints public repository contains custom blueprints and custom scripts that are created and published by community members. Calm also publishes official blueprints and tasks to the github public repository. You can clone the published blueprints and scripts and use from the repository. To access the repository, click here .
The blueprints repository of Calm contains script that can be seeded into task library and published to projects. You can use these tasks for blueprint configuration.
bash generate_task_library_items.sh
export PC_IP=<prism central IP>
export PC_USER=<prism central user>
export PC_PASSWORD=<prism central password>
export PC_PROJECT=<prism central project>
python generate_task_library.py --pc $PC_IP--user $PC_USER --password $PC_PASSWORD --project $PC_PROJECT --script <path of script>
Calm license for Prism Central enables you to manage VMs that are provisioned or managed by Calm. Nutanix provides a free trial period of 60 days to try out Calm.
The Prism web console and Nutanix Support portal provide the most current information about
your licenses. For detailed information about the Calm licensing feature, refer to the
Prism Central Guide
.
Upgrade Calm or Epsilon using the Life Cycle Manager (LCM) from Prism Central. Epsilon is the orchestration engine for Calm. For more information , see Life Cycle Manager.
Use LCM to display the software and firmware versions of the entities in the cluster.
Use LCM to upgrade Calm and Epsilon to the latest available versions.
If you do not select any specific updates, the LCM performs all available updates.
By default, LCM automatically fetches updates from a pre-configured URL. If LCM fails to access the configured URL to fetch updates, you can configure the LCM to fetch updates locally to upgrade Calm and Epsilon.
Perform the following procedure to upgrade Calm and Epsilon at a dark site.
The LCM sidebar now shows the LCM framework with the updated version.
Refer to this section to upgrade Calm to the latest available version after you deploy the Calm VM.
Use the following procedure to upgrade Calm and Epsilon from Calm VM 3.3.1 to 3.5.0.
genesis stop nucalm epsilon
/usr/local/nutanix/nucalm/
)
and remove the tar file.
nucalm.tar.xz
from the Downloads location.
/usr/local/nutanix/epsilon/
) and remove the tar file.
epsilon.tar.xz
from the Downloads location.
cluster start
To upgrade Calm VM using the PC method, do the following:
Check if the compatible PC version is available. If not, go to the Name Servers page and enter the global DNS server as the Name server.
A confirmation window appears.
Click Yes to start the download process. After the download gets completed, you can view the Upgrade list.
During the upgrade process, the Calm VM gets restarted.
Also, you can log in to the Calm VM GUI to view the upgraded version. In the top-left corner, click User Menu > About Nutanix .
You can upgrade to newer versions of Calm without performing a VM upgrade. Upgrades to most minor releases and few major releases are done using the LCM method.
To upgrade Calm VM using the LCM method, do the following:
A confirmation window appears.
Note that the Epsilon check-box also gets selected. Epsilon is the orchestration engine used by Calm.
A confirmation window appears.
By default, Life Cycle Manager (LCM) automatically fetches updates from a pre-configured URL. If LCM fails to access the configured URL to fetch updates, you can configure the LCM to fetch updates locally to upgrade Calm and Epsilon. Perform the following procedure to upgrade Calm and Epsilon at a dark site.
The LCM sidebar now shows the LCM framework with the same version as the LCM dark site bundle you downloaded.
The Credential Security Support Provider (CredSSP) protocol is a security support provider that you implement using the Security Support Provider Interface (SSPI). CredSSP allows an application to delegate credentials of a user from the client to the target server for remote authentication. CredSSP provides an encrypted transport layer security protocol channel. The client is authenticated over the encrypted channel by using the Simple and Protected Negotiate (SPNEGO) protocol with either Microsoft Kerberos or Microsoft NTLM.
For more information, refer to the Microsoft Documentation .
Perform the following procedure to enable CredSSP.
> Enable-WSManCredSSP -Role Server -Force
Perform the following procedure to generate an SSH key pair on a Linux VM.
$ ssh-keygen -t rsa
Perform the following procedure to generate an SSH key pair on Windows.
Integrated Linux based PowerShell gateway is an in-built microservice of Calm that you can use to run Windows PowerShell scripts. You do not have to install any Windows VM separately or install Karan service manually to run the PowerShell scripts in Calm. Perform the following task to run the PowerShell scripts in Calm.
> Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools
> Enable-WSManCredSSP -Role Server -Force
> Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools
You might encounter the following errors when you run the PowerShell scripts using the integrated Linux based PowerShell gateway.
Error | Description |
---|---|
Access denied |
If the VM and the WinRM services are started but the specified credential is wrong. You encounter the error in the following cases.
|
Connection refused |
You encounter the connection refusal error in the following cases.
|
Nutanix localizes the user interface in simplified Chinese and Japanese. All the static
screens are translated to the selected language. You can change the language settings of the
cluster from English (default) to simplified Chinese or Japanese. For information on how to
change the language setting, refer to the
Prism Central
Guide
.
Product Release Date: 2022-06-14
Last updated: 2022-11-10
Calm allows you to seamlessly select, provision, and manage your business applications across your infrastructure for both the private and public clouds. Calm provides application automation, lifecycle management, monitoring, and remediation to manage your heterogeneous infrastructure, for example, VMs or bare-metal servers.
Calm supports multiple platforms so that you can use the single self-service and automation interface to manage all your infrastructure. Calm provides an interactive and user-friendly graphical user interface (GUI) to manage your infrastructure.
Calm is a multi-cloud application management framework that offers the following key benefits:
Calm simplifies the setup and management of custom enterprise applications by incorporating all important elements, such as the relevant VMs, configurations, and related binaries into an easy-to-use blueprint. These blueprints make the deployment and lifecycle management of common applications repeatable and help infrastructure teams eliminate extensive and complex routine application management.
Calm unifies the management of all your clouds into a single-pane-of-glass, removing the need to switch between portals. Calm automates the provisioning of multi-cloud architectures, scaling both multi-tiered and distributed applications across different cloud environments, including AWS, GCP, Azure, and VMware (on both Nutanix and non-Nutanix platforms).
Calm empowers different groups in the organization to provision and manage their own applications, giving application owners and developers an attractive alternative to public cloud services. Calm provides powerful, application-centric self-service capabilities with role-based access control. All activities and changes are logged for end-to-end traceability, aiding security teams with key compliance initiatives.
The marketplace offers preconfigured application blueprints that infrastructure teams can instantly consume to provision applications. The marketplace also provides the option to publish sharable runbooks. A runbook is a collection of tasks that are run sequentially at different endpoints. Infrastructure teams can define endpoints and use runbooks to automate routine tasks and procedures that pan across multiple applications without the involvement of a blueprint or an application.
With native integration into Beam, Calm also shows the overall utilization and true cost of public cloud consumption to help you make deployment decisions with confidence.
Combined with Nutanix Karbon or your choice of certified Kubernetes, Calm provides the tools required to modernize applications without losing control of policy. Additionally, Calm natively integrates with Jenkins to empower CI/CD pipelines with automatic infrastructure provisioning or upgrades for all applications.
Calm DSL describes a simpler Python3-based Domain Specific Language (DSL) for writing Calm blueprints. DSL offers all the richness of the Calm user interface along with additional benefits of being human readable and version controllable code that can handle even the most complex application scenario. DSL can be also used to operate Calm from a CLI.
As Calm uses Services, Packages, Substrates, Deployments and Application Profiles as building blocks for a blueprint, these entities can be defined as Python classes. You can specify their attributes as class attributes and define actions on those entities (procedural runbooks) as class methods.
Calm DSL also accepts appropriate native data formats such as YAML and JSON that allow reuse into the larger application lifecycle context of a Calm blueprint.
For technical articles, videos, labs and resources on Calm DSL, see Nutanix Calm DSL on Nutanix.dev.
You must configure the following components before you start using Calm.
Before you enable Calm from Prism Central, ensure that you have met the following prerequisites.
You can go to the Software Product Interoperability page to verify the compatible versions of Calm and Prism Central.
Nutanix certifies the following benchmarks for single-node deployment profiles (non-scale-out) and three-node deployment profiles (scale-out). Each benchmark contains scale numbers across different entities of Calm. Because the scaling properties of these entities often depend on each other, changes to one entity might affect the scale of other entities. For example, if your deployment has smaller number of VMs than the benchmarked number, you can have a higher number of blueprints, projects, runbooks, and so on.
Use these guidelines as a good starting point for your Calm installation. You might have to allocate more resources over time as your infrastructure grows.
The following table shows the Calm benchmarks for a single-node Prism Central profile.
Prism Central size | Prism Central configuration | Number of VMs | Number of single-VM blueprints | Number of single-VM applications | Number of projects | Number of runbooks |
---|---|---|---|---|---|---|
Small (1 node) |
6 vCPUs and 30 GB of memory for each node. |
2000 | 400 | 2000 | 50 | 250 |
Large (1 node) |
10 vCPUs and 52 GB of memory for each node. |
7000 | 1400 | 7000 | 250 | 500 |
The following table shows the Calm benchmarks for a three-node Prism Central profile. If high-availability is preferred, it is recommended to use the scale-out deployment.
Prism Central size | Prism Central configuration | Number of VMs | Number of single-VM blueprints | Number of single-VM applications | Number of projects | Number of runbooks |
---|---|---|---|---|---|---|
Small (3 nodes, scale out) |
6 vCPUs and 30 GB of memory for each node. |
3500 | 700 | 3500 | 100 | 500 |
Large (3 nodes, scale out) |
10 vCPUs and 52 GB of memory for each node. |
12500 | 2500 | 12500 | 500 | 1000 |
The following considerations are applicable for both Calm single-node and three-node (scale-out) profiles:
The maximum throughput on a large three-node (scale-out) deployment profile is 400 VMs per hour.
For a list of required Calm ports, see Port Reference. The Port Reference section provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.
Calm is integrated into Prism Central and does not require you to deploy any additional VMs. To start using Calm, you only have to enable Calm from Prism Central.
If the Prism web console is not registered from a Prism Central and the application blueprints have subnet, image, or VMs on the Prism web console, the Calm functionality is impacted.
Prism Central Guide
.
You can check the version of your Calm instance from the Calm user interface.
Calm VM is a standalone VM that you can deploy on AHV and ESXi hypervisors and leverage calm functionality without the Nutanix infrastructure.
You can deploy Calm using the image at the Nutanix Support Portal - Downloads page and manage your applications across a variety of cloud platforms. Calm VM deployment eliminates the need of the complete Nutanix infrastructure to use Calm features.
For information on Calm VM deployment on AHV, see Deploying Calm VM on AHV.
This section describes the steps to deploy a Calm VM on AHV.
You must create a VM with a specific Open Virtualization Format (OVF) image to access the Calm UI.
For more information, see Deploying OVA Template on VMware vSphere section in the VMware documentation .
This section describes the steps to deploy a Calm VM by using the vSphere CLI (govc).
$ govc import.ova -name 5.17.1-prismcentral -3.0.0.1 http://endor.dyn.nutanix.com/GoldImages/calm-vm
If you have downloaded the OVF file on your system, replace http://endor.dyn.nutanix.com/GoldImages/calm-vm with the location of the OVF file.
Running the command starts the uploading process. Once the uploading is complete, power on the Calm VM from the vSphere web client.
Use the following procedure to set up Scale-out version of Calm VM.
cluster stop
cluster destroy
#cluster --cluster_function_list="multicluster" -s <ip1>,<ip2>,<ip3> create
For example:
cluster --cluster_function_list="multicluster" -s 10.46.141.71,10.46.138.20,10.46.138.26 create
cluster --cluster_function_list="multicluster" --cluster_name "<Cluster Name>" -s <ip1>,<ip2>,<ip3> --cluster_external_ip=<vip> create
For example:
cluster --cluster_function_list="multicluster" --cluster_name "Demo" -s 10.46.141.71,10.46.138.20,10.46.138.26 --cluster_external_ip=10.46.141.70 --dns_servers 10.40.64.15,10.40.64.16 create
cd /home/nutanix/bin
python enable_calm.py
cluster status
docker cp /home/nutanix/bin/set_policy_calmvm.pyc nucalm:/home
docker cp /home/nutanix/bin/set_policy.sh nucalm:/home
docker exec nucalm /bin/sh -c '/home/set_policy.sh <POLICY_VM_IP> <POLICy_VM_UUID>'
Use the following steps to enable policy engine for Calm VM.
docker cp /home/nutanix/bin/set_policy_calmvm.py nucalm:/home
docker cp /home/nutanix/bin/set_policy.sh nucalm:/home
docker exec nucalm /bin/sh -c '/home/set_policy.sh <POLICY_VM_IP> <POLICY_VM_UUID>'
policy-engine.tar.gz
file from the Downloads page on to the policy
engine VM.
policy-engine.tar.gz
file.
upgrade.sh
.
docker ps
command to check the status of
policy containers, and wait for the containers to get healthy.
set_policy_calmvm.py
script from the
Downloads page into the
/home/nutanix/bin/
directory of your Calm VM
and provide the execute permission.
set_policy.sh
script from the Downloads page into the
/home/nutanix/bin/
directory of your Calm VM
and provide the execute permission.
By Default, Calm VM uses DHCP IP address. You can use the following procedure to launch Calm VM using a static IP address.
The following table lists the different tabs in Calm, their icons, and their usage:
Icons | Tab | Usage |
---|---|---|
Marketplace tab | To instantly consume application blueprints to provision applications. See Marketplace Overview. | |
Blueprint tab | To create, configure, publish, and launch single-VM or multi-VM blueprints. See Calm Blueprints Overview. | |
Application tab | To view and manage applications that are launched from blueprints. See Applications Overview. | |
Library tab | To create and use variable types and tasks. You use variables and tasks while configuring a blueprint. See Library Overview. | |
Runbooks tab | To automate routine tasks and procedures that pan across multiple applications without involving any blueprints or applications. See Runbooks Overview. | |
Endpoints tab | To create and manage target resources where the tasks defined in a runbook or in a blueprint can run. See Endpoints Overview. | |
Settings tab |
To enable or disable general settings. See General Settings in Calm. To configure and manage provider accounts. See Provider Account Settings in Calm. To configure and manage credential provider. See Configuring a Credential Provider. |
|
Policies tab | To schedule application actions and runbook executions. See Scheduler Overview. | |
Marketplace Manager tab | To manage approval and publishing of application blueprints. See Marketplace Manager Overview. | |
Projects tab | To create users or groups and assign permissions to use Calm. Projects tab also allows you to configure environment for your providers. See Projects Overview. |
You can use the following procedure to explore Calm user interface and get an overview of the Calm components.
You can use the following procedure to access the Calm REST API explorer console from the Calm user interface.
Calm manages the role-based access control using projects. Projects are logical groupings of user roles, accounts, VM templates, and credentials that are used to manage and launch blueprints and applications within your organization. For more information, see Projects Overview.
Users or groups are allowed to view, launch, or manage applications based on the roles that are assigned within the projects. Calm has the following roles for users or groups:
Project admins have full control of the project. They can perform reporting and user management, create blueprints, launch blueprints, and run actions on the applications.
Developers can create blueprints, launch blueprints, and run actions on the applications. They are, however, not allowed to perform reporting and user management.
Consumers can launch new blueprints from the marketplace and run actions on the applications. They are, however, not allowed to create their own blueprints.
Operators have minimum access and are allowed only to run actions against existing applications. They are not allowed to launch new blueprints or edit any existing blueprints.
The following table details the roles and responsibilities in Calm:
Prism Admin | Project Admin | Developer | Consumer | Operator | ||
---|---|---|---|---|---|---|
Marketplace | Enable and Disable | X | ||||
Manage | X | |||||
App publishing request | X | X | X | |||
Send App publishing request to the Administrator | X | X | ||||
Clone and edit App blueprint | X | X | X | |||
Blueprint | Create, update, delete, and duplicate | X | X | X | ||
Read-only | X | X | X | X | ||
Launch | X | X | X | X | ||
Applications | Complete App summary | X | X | X | X | X |
Run functions | X | X | X | X | X | |
App debug mode | X | X | X | X | X | |
Function edit | X | X | X | |||
Create App (brownfield import) | X | X | X | |||
Delete App | X | X | X | X | ||
Settings | CRUD | X | ||||
Task Library | View | X | X | X | X | X |
Create and Update | X | X | X | |||
Delete | X | |||||
Sharing with Projects | X | |||||
Projects | Add project | X | ||||
Update project | X | X | ||||
Add VMs to projects | X | |||||
Custom roles | ||||||
Users | Add users to the system and change roles | X | ||||
Add and remove users to or from a project | X | X | ||||
Change user roles in a project | X | X | ||||
Create Administrator | X | |||||
Create Project Administrator | X | X | ||||
Runbooks | Create and Update | X | X | X | ||
View | X | X | X | X | X | |
Delete | X | X | X | |||
Execute | X | X | X | X | X | |
Endpoints | Create and Update | X | X | X | ||
View | X | X | X | X | X | |
Delete | X | X | X | |||
Scheduler | Create, delete, and clone jobs | X | X | X | X | |
Read job and view execution status | X | X | X | X | X | |
Update job name, schedule, executable, and application action | X | X | X | X | ||
Edit operations on a blueprint launch | X | X | X | X | ||
Edit operations on runbook executions | X | X | X | X | ||
Edit operations on application actions | X | X | X | X | ||
Edit operations on Marketplace launch | X | X | X | X |
When you enable Calm, you get an out-of-the-box blueprint, a default project, and a preconfigured application profile with your Nutanix account. You can use the blueprint, project, and application profile to instantaneously launch your first application.
To quickly provision a Linux or Windows Infrastructure as a Service (IaaS) for your end users, you can configure and launch a single-VM blueprint in Calm.
Provisioning a Linux or Windows IaaS involves configuring the single-VM blueprint VM specifications and launching the blueprint.
The Settings tab allows you to control the overall administrative functionalities of the Calm instances. You must be a Prism Central administrator to access the Settings tab.
You can use the Settings > General tab to control the following functionalities:
Enable Nutanix Marketplace Applications to view and launch ready-to-use application blueprints. These application blueprints appear on the Marketplace Manager tab for publishing. You can publish the blueprints to the marketplace after associating them with a project.
Showback allows you to estimate the overall service cost of the applications running on your on-prem cloud. You can also view the graphical representation of the cost of the applications.
To enable and configure showback, see Enabling Showback.
Enable Showback to configure the resource cost of your applications and monitor them while you configure a blueprint or manage an application. Showback is applicable only for the Nutanix platform and the VMware through vCenter platform.
Disable showback to stop monitoring the resources cost of your application blueprints.
The policy engine is a single-VM setup for the single or scale-out Prism Central. When you enable the policy engine for your Calm instance, a new VM is created and deployed for the policy engine. All you need is an available IP address that belongs to the same network as that of your Prism Central VM for the policy engine VM.
As an administrator, you can enable the policy engine to:
The policy engine is a single-VM setup for the single or scale-out Prism Central.
When you enable the policy engine for your Calm instance, a new VM is created and deployed for the policy engine. All you need is an available IP address that belongs to the same network as that of your Prism Central VM for the policy engine VM.
You can enable the policy engine at a dark site.
<Calm version number>-CalmPolicyVM.qcow2
<Calm version number>-CalmPolicyVM.ova
After you enable the policy engine, you can set up the default quota values for vCPU, memory, and disk. This step is optional.
Setting up quota defaults saves you from repeatedly entering vCPU, memory, and disk quota values for each cluster. After you set the quota defaults, the default quota values populate automatically when you allocate quotas to your provider accounts.
After you enable policy engine, review the policy engine VM configuration, network configuration, and cluster information on the Policies tab of your Setttings page. For example, you can view the power status, protection status, or cluster name of the policy engine VM.
Disable the policy enforcement for your Calm instance if the policy engine VM encounters any connectivity issues or the policy engine VM is not responding.
You can enable approvals for your Calm instance from the settings page.
When you enable approvals, events such as runbook executions, application launch, and application day-2 operations that match the conditions defined in the approval policy go through the approval process.
You can disable approvals for your Calm instance from the Settings page.
When you enable approvals, events such as runbook executions, application launch, and application day-2 operations do not go through the approval process even when they match the conditions defined in the approval policy.
You can view the configuration details and email template on the Policies tab of the Settings page.
The content of the email templates for approver or requester can be modified only using the APIs. You can use the following supported email template variables.
You can use these variables with the {{}} syntax. For example, {{.PCIP}} .
You can view the protection and recovery status of a Calm application when:
You can view the protection and recovery status of the application on the Application Overview page. For more information, see Overview Tab.
To enable the option to show application protection status, see Enabling Application Protection Status View.
Enable the Show App Protection Status toggle button to view the protection and recovery status of a Calm application that is deployed on a Nutanix platform. You must be a Prism Central administrator to enable or disable the toggle button.
Calm automatically archives run logs of the deleted applications and custom actions that are older than three months. You can download the archives within 7 days from the time of archive creation.
For a running application, data is not archived for the system-generated Create actions.
You can get the following information for Start, Restart, Stop, Delete, and Soft Delete system-generated actions and user-created actions.
Calm archives all action details of a deleted application.
Only an administrator can view and download the application log archive. For more information, see Downloading Application Log Archive.
Calm periodically archives application logs to clear resources. You can download the archived application logs from the Settings tab.
Provider accounts are cloud services, baremetals, or existing machines that you can use to deploy, monitor, and govern your applications. You can configure multiple accounts of the same provider.
Use the Settings > Accounts tab to configure provider accounts. You configure provider accounts (by using the provider credentials) to enable Calm to manage applications by using your virtualization resources.
Calm supports the following provider accounts:
Provider Accounts | Description |
---|---|
Nutanix |
All the AHV clusters that are registered to the Prism Central instance are
automatically added as providers.
Note:
If you want to add a remote Prism Central (PC)
instance as a provider in a multi-PC setup, you must add the remote PC instance as
an account in Calm. For more information, see Configuring a Remote Prism Central Account.
|
VMware | To configure a VMware account, see Configuring a VMware Account. |
AWS | To configure an AWS account, see Configuring an AWS Account. |
Azure | To configure an Azure account, see Configuring an Azure Account. |
GCP | To configure a GCP account, see Configuring a GCP Account. |
Kubernetes | To configure a Kubernetes account, see Configuring a Kubernetes Account. |
Xi Cloud | To configure Xi Cloud as a provider, see Configuring a Xi Cloud Account. |
All AHV clusters that are registered to your Prism Central instance are automatically added as provider accounts to Calm.
You can also configure any remote Prism Central (PC) as an account in Calm to deploy applications on the remote PC. For more information, see Support for Multi-PC Setup.
In a multiple Prism Centrals (multi-PC) setup, a central Calm instance (called global Calm instance) runs only on one of the PCs (called host or parent PC) and all the other PCs are connected to the central Calm instance as the remote PCs.
The global Calm instance can now manage the applications deployed on the geographically distributed Prism Centrals (also called remote PCs) without the need of separate Calm instances for every PC. A remote PC is only used to provision the tasks for the deployed applications.
In a multi-PC environment, every remote PC is added as an account to the host PC and you can add the account to your project before creating and launching a blueprint.
For more information about adding a remote PC as an account, see Configuring a Remote Prism Central Account.
For more information about adding the account to a project, see Adding Accounts to a Project.
To deploy an application on a remote PC, you must configure the remote PC as an account in Calm.
You require the role of a Prism Admin to configure a remote PC account.
For more information about multiple Prism Central setup support, see Support for Multi-PC Setup.
Calm allows you to create VMs within the overlay subnets that have association to a Virtual Private Cloud (VPC) when you use your Nutanix or Remote PC account. A VPC is an independent and isolated IP address space that functions as a logically isolated virtual network. VMs that you create with VPC Subnets cannot communicate with a VM that is outside the VPC. Even the VMs outside the VPC cannot reach the VMs within the VPC.
In the absence of this direct communication, you can set up tunnels to communicate with the VMs within the VPC for orchestration activities and to run script-based tasks. You can set up the tunnel VM in any one of the subnets within the VPC.
To set up tunnels for your VPCs, you must:
For more information on creating VPC tunnels, see Creating VPC Tunnels.
In your Nutanix account, you set up tunnels to get access to the VMs that are created within the VPCs.
The tunnels that you create enables you to perform check log-in and run script-based execution tasks on the VMs that use the overlay subnets of the VPC.
If tunnel is not configured for the selected VPC, you can only perform basic operations (such as VM provisioning) on the VPC.
Configure your VMware account in Calm to manage applications on the VMware platform.
To refer to the video about setting up VMware as provider, click here.
The following table provides the complete list of permissions that you need to enable in vCenter before you configure your VMware account in Calm.
Entity | Permission |
---|---|
Datastore |
|
Network |
|
Resource |
|
vSphere Tagging |
|
Virtual Machine > Change Configuration |
|
Virtual Machine > Interaction |
|
Virtual Machine > Edit Inventory |
|
Virtual Machine > Provisioning |
|
You must define the custom role at the vCenter level instead of the Datacenter level. For information on how to enable permissions in vCenter, see the vSphere Users and Permissions section in the VMware documents.
Calm supports the following versions of vSphere.
Configure your AWS account in Calm to manage applications on the AWS platform.
nutanix@cvm$ ncli cluster get-name-servers
GovCloud (US) is an isolated AWS region to help the United States government agencies and federal IT contractors host sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements.
The AWS GovCloud (US) region supports the management of regulated data by restricting physical and logical administrative access to U.S. citizens only.
To manage applications on the AWS platform using Calm, you must have a privileged AWS user account with an appropriate policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListSSHPublicKeys",
"iam:GetSSHPublicKey",
"iam:GetAccountPasswordPolicy",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"ec2:CreateImage",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:DisassociateIamInstanceProfile",
"ec2:RegisterImage",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot",
"ec2:GetConsoleOutput",
"ec2:Describe*",
"ec2:DeleteTags",
"ec2:TerminateInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["iam:ListUserPolicies"],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Effect": "Allow",
"Action": ["iam:PassRole"],
"Resource": ["arn:aws:iam::*:role/*"]
}
]
}
The following table displays the list of user policy privileges and the corresponding JSON attributes that you can add in the JSON syntax to assign different privileges to a user.
To create | JSON attributes |
---|---|
EC2 Instances |
ec2:RunInstances
|
Volumes |
ec2:CreateVolume
|
Snapshot |
ec2:CreateSnapshot
|
Image(AMI) |
ec2:CreateImage
|
To list or get | JSON attributes |
SSH Public Keys for all users |
iam:ListSSHPublicKeys
|
List IAM Roles |
iam:ListRoles
|
EC2 attributes |
ec2:Describe*
|
EC2 instance console output |
ec2:GetConsoleOutput
|
IAM user policies for the user |
iam:ListUserPolicies
|
To update | JSON attributes |
Image(AMI) attributes |
ec2:ModifyImageAttribute
|
To delete | JSON attributes |
EC2 Instances |
ec2:TerminateInstances
|
Instance Tags |
ec2:DeleteTags
|
Snapshot |
ec2:DeleteSnapshot
|
Images(deregister images) |
ec2:DeregisterImage
|
Others | JSON attributes |
Start/Stop/Restart Instances |
ec2:RunInstances, ec2:StartInstances, ec2:StopInstances,
ec2:RebootInstances
|
Pass and IAM role to service |
iam:PassRole
|
Configure your GCP account in Calm to manage applications on the GCP platform.
Configure your Azure account in Calm to manage applications on the Azure platform.
You must have a privileged Azure user account to manage applications on an Azure platform using Calm.
To refer to a video about assigning minimum privilege to configure Azure account to work with Calm, click here.
{
"Name": "Calm Admin",
"IsCustom": true,
"Description": "For calm to manage VMs on azure provisioned from calm applications",
"Actions": [
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/checknameavailability/read",
"Microsoft.Storage/skus/read",
"Microsoft.Network/virtualNetworks/subnets/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/networkSecurityGroups/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/publicIPAddresses/*",
"Microsoft.Network/publicIPPrefixes/*",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/write",
"Microsoft.Compute/disks/*",
"Microsoft.Compute/images/read",
"Microsoft.Compute/images/write",
"Microsoft.Compute/locations/publishers/read",
"Microsoft.Compute/locations/publishers/artifacttypes/offers/read",
"Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/read",
"Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/versions/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/snapshots/*",
"Microsoft.Compute/locations/vmSizes/read",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.GuestConfiguration/*/read",
"Microsoft.GuestConfiguration/*/write",
"Microsoft.GuestConfiguration/*/action",
"Microsoft.Compute/galleries/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/vaults/deploy/action"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/<subscription id>"
]
}
az role definition create --role-definition <file>.json
az ad sp create-for-rbac -n "CalmAccount" --role "Calm Admin"
Configure your Kubernetes account in Calm to manage applications on the Kubernetes platform.
For Calm to manage workloads on Amazon EKS, Azure Kubernetes Service (AKS), or Anthos, enable the generic authentication mechanism and create a service account on the Kubernetes cluster. You can then use the service account to communicate with the cluster.
kubectl create serviceaccount ntnx-calm
kubectl create clusterrolebinding ntnx-calm-admin --clusterrole
cluster-admin --serviceaccount default:ntnx-calm
SECRET_NAME=$(kubectl get serviceaccount ntnx-calm -o
jsonpath='{$.secrets[0].name}')
kubectl get secret ${SECRET_NAME} -o jsonpath='{$.data.token}' |
base64 –decode
kubectl config view --minify --raw -o
jsonpath='{.clusters[*].cluster.certificate-authority-data}' | base64
–decode
To manage workloads on Nutanix Xi Cloud, add your Xi Cloud as an account in Calm if your Prism Central is paired with a Xi cloud. Calm automatically discovers the availability zones of the Xi Cloud and allows you to add the Xi Cloud account as a provider account.
Calm automates the provisioning and management of infrastructure resources for both private and public clouds. When any configuration changes are made directly to the Calm-managed resources, Calm needs to sync up the changes to accurately calculate and display quotas and Showback information.
Platform sync enables Calm to synchronize any changes in the clusters that are managed by Calm on connected providers. These changes can be any IP Address changes, disk resizing, unavailability of VMs, and so on.
For example, when a VM is powered off externally or deleted, platform sync updates the VM status in Calm. Calm then adds the infrastructure resources consumed by the VM (memory and vCPU) to the total available quota.
You can specify an interval after which the platform sync must run for a cluster. For more information, see Configuring a Remote Prism Central Account and Configuring a VMware Account.
Platform sync enables Calm to synchronize any changes in the clusters that are managed by Calm on connected providers. These changes can be any IP Address changes, disk resizing, unavailability of VMs, and so on. You can sync up the configuration changes instantly for your accounts.
Allocate resource quotas to your accounts to have a better control over the infrastructure resources (computer, memory, and storage) that are provisioned through Calm. Based on the resource quota you allocate, the policy engine enforces quota checks when applications are launched, scaled-out, or updated.
Use the utilization report to analyze how the projects to which the cluster is assigned consumed the allocated resources of the cluster. For example, if a Nutanix cluster is assigned to three different projects, you can analyze how the assigned projects consumed the allocated resources of that cluster.
Credentials help in abstracting identity settings while connecting to an external system. Credentials are used to authenticate a user to access various services in Calm. Calm supports key-based and password-based authentication method.
Credentials are used in multiple Calm entities and workflows.
Environment allows a Project Admin to add multiple credentials and configure VM default specifications for each of the selected providers as a part of project and environment configurations.
Project admins must configure an environment before launching an application from the marketplace. The recommendation is to have at least one credential of each secret type (SSH or password) to be defined under each environment in the project. These values get patched wherever the credential values are empty when you launch your marketplace items.
Developers can add credentials to a blueprint. These credentials are referenced after the VM is provisioned. Credentials defined within an environment of a project have no significance or impact on the credentials you define within the blueprint.
Calm supports export and import of blueprints across different Prism Central or Calm instances along with the secrets. The developer uses a passphrase to encrypt credentials and then decrypts credentials in a different instance using the same passphrase to create a blueprint copy.
All global marketplace items have empty credentials values. However, locally published blueprints can have the credential values if the developer published the blueprint with the Publish with Secret s option enabled.
When you launch a marketplace item, credentials are patched wherever the value is empty. In case there are multiple credentials of a particular type configured within the environment of a project, you get the option to select a credential for the launch.
Owners can change the credential value of an application multiple times until the application is deleted. The latest value of a credential that is available at that point in the application instance is used when an action is triggered.
Any change in the credential value at the application level does not impact the credential value at the corresponding blueprint level.
Calm allows managing the following types of credentials:
Static credentials in Calm are modelled to store secrets (password or SSH private key) in the credential objects that are contained in the blueprints that the applications copy.
Calm supports external credential store integration for dynamic credentials. A credential store holds username and password or key certificate combinations and enables applications to retrieve and use credentials for authentication to external services whenever required. As a developer, you can:
For more information about configuring a credential provider, see Configuring a Credential Provider.
When a blueprint uses a dynamic credential, the secret (password or SSH private key) is not stored in the credential objects within the blueprint. The secret values are fetched on demand by executing the runbook within the credential provider that you configure in Calm and associate with the blueprint.
Calm supports external credential store integration for dynamic credentials.
As a developer, you can define variable, runbook, and attributes in a dynamic credential provider definition.
In Calm, a project is a set of Active Directory users with a common set of requirements or a common structure and function, such as a team of engineers collaborating on an engineering project.
Environment configuration involves configuring VMs and adding credentials for the accounts that you added to your project. You can configure multiple environments in a project and set one of the environments as the default environment for the project.
The project construct defines various environment-specific settings. For example:
Projects provide logical groupings of user roles to access and use Calm within your organization. To assign different roles to users or groups in a project, you use configured Active Directory in Prism Central.
A project in Calm offers the following user roles. Each role has predefined functions that a user with role assigned can perform in a project. For more information, see Role-Based Access Control in Calm.
As part of the project configuration, you also configure environments. Environment configuration involves configuring VMs and adding credentials for the accounts that you added to your project. You use a configured environment either during your blueprint creation or during an application launch. When you select a configured environment while launching an application from the marketplace, the values for the application launch are picked up from the selected environment.
You create a project to map your provider accounts and define user roles to access and use Calm.
Calm uses projects to assign roles to particular users and groups. Based on these roles, users are allowed to view, launch, or manage applications.
You can add multiple accounts of the same provider or different providers you configured in Calm to your projects. Calm supports accounts of the following providers:
When you add Nutanix accounts to your project, you can allow clusters and their corresponding VLAN or overlay subnets.
A VLAN subnet is bound to a Prism Element cluster. When you use the VLAN subnet to a provision a VM, the VM get automatically placed on that Prism Element.
However, an overlay subnet can span from a few clusters to all the clusters of your Prism Central. Therefore, when you configure your Nutanix account in your project, Calm enables you to allow clusters before allowing the subnets.
Allowing clusters before their subnets enables you to have projects where you can allow VPCs and their corresponding subnets without allowing any VLAN subnets.
For Nutanix and VMware accounts within your project, you can also define resource quota limits for quota checks. For more information, see Quota Policy Overview.
You can add multiple provider accounts or credential provider accounts that you configured in Calm to your project. You can also define resource quota limits for quota checks for Nutanix and VMware accounts within the project.
Calm allows you to modify the users, accounts, and quota details of a saved project. You can also delete an account from a project.
You can delete a project that is not associated with any application or blueprint. If the project is already used to create any applications or blueprints, you cannot delete the project. In such cases, a dialog box appears displaying the association of the project with different applications or blueprints.
Environment is a subset of a project. When you create a project, you can add multiple accounts of the same provider or accounts of different providers that you configured in Calm to your project. You can then configure one or more environments in your project.
When you create an application blueprint, you select a project and use the environments you configured for that project for application deployments. You can also optionally select one environment for each application profile in the blueprint.
You configure environments as a part of your project creation so that you can use the configured environments when you create blueprints or launch marketplace application blueprints. You can configure multiple environments in your project.
Environment configuration involves configuring VMs and adding credentials for the accounts that you added to your project.
vm-@@{calm_time}@@
. For more information on Calm macros,
see Macros Overview.
Environment configuration involves configuring VMs and adding credentials for the accounts that you added to your project.
Environment configuration involves configuring VMs and adding credentials for the accounts that you added to your project.
Templates allow you to create multiple virtual machines with the same characteristics, such as resources allocated to CPU and memory or the type of virtual hardware. Templates save time and avoid errors when configuring settings and other parameters to create VMs. The VM template retrieves the list options from the configured vCenter.
For more information, refer to VMware KB articles.
A content library stores and manages content (VMs, vApp templates, and other types of files) in the form of library items. A single library item can consist of one file or multiple files. For more information about the vCenter content library, see the VMware Documentation .
Environment configuration involves configuring VMs and adding credentials for the accounts that you added to your project.
Environment configuration involves configuring VMs and adding credentials for the accounts that you added to your project.
The Resource Group list displays the resource groups that are associated with the subscriptions you selected in your Azure account. In case you have not selected any subscriptions, Calm considers all the subscriptions that are available in the Azure service principal to display the resource groups. Each resource group in the list also displays the associated subscription.
For Windows VMs, specify the certificate store on the virtual machine to which the certificate is added. The specified certificate store is implicitly created in the LocalMachine account.
For Linux VMs, the certificate file is placed under the /var/lib/waagent directory with the file name <UppercaseThumbprint>.crt for the X509 certificate file and <UppercaseThumbpring>.prv for private key. Both of these files are .pem formatted.
Perform the following steps to configure connection in your environment.
You can either select the public IP address or private IP address of a NIC.
Delay timer defines the time period when the check login script is run after the VM starts. It allows you to configure the delay time to allow guest customization script, IP, and all other services to come up before running the check login script.
Credentials help in abstracting identity settings while connecting to an external system. You can configure multiple credentials of the same type (either SSH key or password) and define under the Environment tab. You can use the configured credentials during launch of an application blueprint.
Credentials are used to authenticate a user to access various services in Calm. Calm supports key-based and password-based authentication method.
Quota policies enforce a usage limit on an infrastructure resource for projects and restrict project members to use more than their specified quota limits. Quotas ensure that a single project or a few projects do not overrun the infrastructures. If the cluster runs out of a resource, project members cannot use the resource even if the project has not reached its specified limit.
Quota policies also enforce a usage limit on an infrastructure resource at the provider account level to ensure that the resource consumption is within the specified quota limits across all projects of that provider account.
Quotas are allocated at the account and project levels. Enforcement of resource quota depends on the following factors:
You must enable the policy engine to enforce resource quota policies. For more information, see Enabling policy Engine.
You can define resource quota limits at the project level for the projects that you create in Calm or in Prism Central. The Policies tab of the Project page in Calm provides a unified view of all the resource quota limits that you defined for the project and the accounts within the project. You can manage all your project-specific quota definition on the Policies tab. For more information on how to manage project-level quota limits, see Managing Quota Limits for Projects.
You must consider these conditions while allocating quotas at the project level.
Calm performs quota checks for every resource provisioning request. Quota check happens for multi-VM applications, single-VM applications, and the VMs that are created from Prism Central within a project.
The Prism Admin and Project Admin can view project-wise usage of infrastructure resources for each cluster. For more information, see Viewing Quota Utilization Report and Managing Quota Limits for Projects.
The Policies tab of a project provides you the options to define and manage quota limits for the project and its associated Nutanix and VMware accounts.
You can do the following as part of the quota limit management at the project level:
A snapshot policy allows you to define rules to create and manage snapshots of application VMs that run on a Nutanix platform. The policy determines the overall intent of the snapshot creation process and the snapshot expiration. You can create rules in your snapshot policy to manage your snapshots on a local cluster, on a remote cluster, or both. Perform the following steps to create your snapshot policy.
For information on the snapshot configuration and creation, see Snapshot and Restore for Nutanix Platform.
A blueprint is the framework for every application that you model by using Calm. Blueprints are templates that describe all the steps that are required to provision, configure, and execute tasks on the services and applications that you create.
You create a blueprint to represent the architecture of your application and then run the blueprint repeatedly to create an instance, provision, and launch applications.
A blueprint also defines the lifecycle of an application and its underlying infrastructure; starting from the creation of the application to the actions that are carried out on a blueprint until the termination of the application.
You can use blueprints to model the applications of various complexities; from simply provisioning a single virtual machine to provisioning and managing a multi-node, multi-tier application.
Calm uses services, application profiles, packages, substrates, and actions as building blocks for a blueprint to define applications.
An application is made up of multiple components (or services) working together. The architecture of an application is composed of compute, storage, network, and their connections and dependencies. Services are logical entities that are exposed by an IP address. End users and services communicate with each other over a network through their exposed IP addresses and ports. For more information, see Services Overview.
Any useful blueprint requires infrastructure for instantiation. A blueprint can specify the exact infrastructure or can be completely left to the blueprint user to specify at the time of instantiation.
An application profile provides different combinations of the service, package, and VM (infrastructure choices) while configuring a blueprint. The application profile allows you to use the same set of services and packages on the different platforms. You select an application profile while launching your blueprint.
Application profiles determine where an application should run, for example, on a Nutanix provider account or on an Azure account. Application profiles also control the T-shirt sizing of an application. T-shirt sizing means that the value of a variable might change based on the selection of a small or a large instance of an application.
If Showback feature is enabled, the application profile also displays service cost of the resources used for an application.
Package Install and Uninstall are operations that are run when you first launch a blueprint or when you finally delete the entire application. In other words, these operations are run during the Create or Delete profile actions. Package Install and Uninstall are unique to each application profile, which means that the tasks or the task contents can vary depending upon the underlying cloud or the size.
Package install is commonly used for installing software
packages. For example, installing PostgreSQL with
sudo yum -y install
postgresql-server postgresql-contrib
.
Substrates are a combination of the underlying cloud and the virtual machine instance. When you select the desired cloud, Calm displays all of the fields required for creating a virtual machine instance on that particular cloud. The combination of all these fields constitutes a substrate. Substrates are the infrastructure abstraction layer for Calm. Calm can quickly change where or how applications are deployed by simply changing the substrate.
Actions are runbooks to accomplish a particular task on your application. You can use actions to automate any process such as backup, upgrade, new user creation, or clean-up, and enforce an order of operations across services. For more information, see Actions Overview.
Calm also has a few other components that you can use while configuring your blueprints.
Calm macros are part of a templating language for Calm scripts. These are evaluated by Calm's execution engine before the script is run. Macros help in making scripts generic and creating reusable workflows. For more information, see Macros Overview.
Variables are either user defined or added to the entities by Calm. Variables are always present within the context of a Calm entity and are accessible directly in scripts running on that entity or any of its child entities. For more information, see Variables Overview.
Categories (or tags) are metadata labels that you assign to your cloud resources to categorize them for cost allocation, reporting, compliance, security, and so on. Each category is a combination of key and values. For more information, see Categories Overview.
Dependencies are used to define the dependence of one service in your application on another service or multiple other services for properties such as IP addresses and DNS names. For example, if service 2 is dependent on service 1, then service 1 starts first and stops after service 2.
For information about how to define dependencies between services, see Setting up the Service Dependencies.
You can configure the following blueprint types in Calm.
A single-VM blueprint is a framework that you can use to create and provision an instance and launch applications that require only one virtual machine. Single-VM blueprints enable you to quickly provide Infrastructure-as-a-Service (IaaS) to your end users. For more information, see Creating a Single-VM Blueprint.
A multi-VM blueprint is a framework that you can use to create an instance, provision, and launch applications requiring multiple VMs. You can define the underlying infrastructure of the VMs, application details, and actions that are carried out on a blueprint until the termination of the application. For more information, see Creating a Multi-VM Blueprint.
The blueprint editor provides a graphical representation of various components that allow you to visualize and configure the components and their dependencies in your environment.
Use the Blueprints tab to perform actions, such as:
Services are the virtual machine instances, existing machines or bare-metal machines, that you can provision and configure by using Calm. You can either provision a single service instance or multiple services based on the topology of your application. A service can only expose an IP address and ports on which the request is received. After a service is configured, you can clone or edit the service as required.
A service includes the following entities:
A VM defines the configuration of the virtual machine instance, the platform on which the VM will be installed, and the connection information of the machine. For example, as shown in the following figure, you need to define the name, cloud, operating system, IP address, and the connection information for an existing machine.
A package enables you to install and uninstall software on an existing machine or bare metal machine by using a script. You need to provide the credentials of the VM on which you need to run the script. A sample script is shown in the following figure. Package also defines the port number and the protocol that is used to access the service.
A service enables you to create the variables that are used to define the service-level tasks and service-level actions. As part of the service, you can also define the number of replicas that you want to create of a service. The maximum number of replicas allowed is 300.
For information about how to configure a service, see Configuring Nutanix and Existing Machine VM, Package, and Service.
Calm macros are part of a templating language for Calm scripts. These are evaluated by Calm's execution engine before the script is run.
Macros enable you to access the value of variables and properties that are set on entities. The variables can be user defined or system generated. For more information, see Variables Overview.
Macros help in making scripts generic and creating reusable workflows. You can use macros in tasks within the blueprints or in the configuration of Calm entities, such as the VM name.
Macros require a set of delimiters for evaluation. These are @@{ and }@@ . Everything within these delimiters is parsed and evaluated. For example,
Macros support the following entities.
Macros support the following data types.
Data Type | Usage |
---|---|
String |
@@{"some string"}@@ or @@{'some string'}@@
Note:
Newline or other such special
characters are not supported. You can use \ to escape quotes.
|
Numbers |
Supports integer and float. For example, @@{ 10 + 20.63 }@@
Note:
All variables
are treated as strings.
|
Macros support the following operations.
Calm allows you to access macros of an array service using a special macro which starts with calm_array . You can configure a VM with replicas and access the common macros of all the replicas. For example, you can:
@@{calm_array_name}@@
@@{calm_array_address}@@
@@{calm_array_id}@@
The following table lists the built-in macros that you can use to retrieve and display the entities.
Macro | Usage |
---|---|
@@{calm_array_index}@@ | Index of the entity within an array |
@@{calm_blueprint_name}@@ | Name of the blueprint from which the application was created |
@@{calm_blueprint_uuid}@@ | Universally unique identifier (UUID) of the blueprint from which the application was created |
@@{calm_application_name}@@ | Name of the application |
@@{calm_application_uuid}@@ | UUID of the application |
@@{calm_uuid}@@ | UUID of the entity within the application on which the current task is running |
@@{calm_random}@@ | A random number is generated each time this is used. This will be evaluated each time and should not be used in fields such as VM name. |
@@{calm_unique}@@ | A random number that is unique to this replica. This will be evaluated to the same value across runs. |
@@{calm_jwt}@@ | JWT for the currently logged in user for API authentication. |
@@{calm_now}@@
@@{calm_today}@@ |
The current time stamp |
@@{calm_time(“<format>”)}@@ | The current time in the specified format |
@@{calm_year(“YYYY”)}@@
@@{calm_year(“YY”)}@@ |
The current year in YYYY or YY format |
@@{calm_month(“short”)}@@
@@{calm_month(“long”)}@@ |
Name of the current month in long or short format |
@@{calm_day(“month”)}@@
@@{calm_day(“year”)}@@ |
Numeric day of the month or year |
@@{calm_weeknumber}@@
@@{calm_weeknumber(“iso”)}@@ |
ISO Numeric week of the year |
@@{calm_weekday(“number”)}@@
@@{calm_weekday(“name_short”)}@@ @@{calm_weekday(“name_long”)}@@ |
Day of the week in numeric or short name or long name |
@@{calm_hour(“12”)}@@
@@{calm_hour(“24”)}@@ @@{calm_hour(“am_pm”)}@@ |
Numeric hour of the day in 12:00-hour or 24:00-hour format along with AM or PM |
@@{calm_minute}@@ | Numeric minute |
@@{calm_second}@@ | Numeric second |
@@{calm_is_weekday}@@ | Displays 1 if the current day is a weekday |
@@{calm_is_long_weekday}@@ | Displays 1 if the current day is a weekday from Monday to Saturday |
@@{calm_is_within("time1", "time2")}@@ | Displays 1 if the current time is within the time1 and time2 range |
@@{calm_project_name}@@ | Displays the project name |
@@{calm_username + @nutanix.com}@@ | Displays the username |
@@{calm_float("32.65") * 2}@@
@@{calm_int(calm_array_index) + 1}@@ |
Typecast to integer. This is useful for binary operations. |
@@{calm_string(256) + "-bit"}@@
@@{"xyz" + calm_string(42)}@@ |
Typecast to string. This is useful for string concatenation. |
@@{calm_b64encode(api_response)}@@
@@{calm_b64encode("a,b,c")}@@ |
Base64 encode the data passed to this macro. |
@@{calm_b64encode(b64_encoded_data)}@@
@@{calm_b64encode("YSxiLGM=")}@@ |
Base64 decode the data passed to this macro. |
You can access the properties of a VM by using the platform macros. The following section describes the macros to access the VM properties for different providers.
Macro | Usage |
---|---|
@@{platform}@@ | To access all the properties of a VM. |
@@{platform.status.cluster_reference.uuid}@@ | To access the uuid of the cluster or the Prism element. |
@@{platform.status.resources.nic_list[0].mac_address}@@ |
To access mac the address.
Note:
Use the
nic_list
index to
access the mac address of a specific nic.
|
@@{platform.status.resources.nic_list[0].subnet_reference.name}@@ | To access the NIC name. |
@@{platform.status.resources.power_state}@@ | To get the state of the VM. |
@@{platform.status.num_sockets}@@ | To access number of sockets of the VM. |
Macro | Usage |
---|---|
@@{platform}@@ | To access all the properties of a VM. |
@@{platform.datastore[0].Name}@@ | To access the datastore name. |
@@{platform.num_sockets}@@ | To access number of sockets of the VM. |
Macro | Usage |
---|---|
@@{platform}@@ | To access all the properties of a VM. |
@@{platform.creationTimestamp}@@ | To get the VM creation time stamp. |
@@{platform.selfLink}@@ | To access the self link of the VM. |
@@{platform.networkInterfaces[0].subnetwork}@@ | To access the network details of the VM. |
The following table lists the endpoint macros for HTTP, Linux, and Windows endpoint types.
Macro | Usage |
---|---|
@@{endpoint.name}@@ | Name of the endpoint |
@@{endpoint.type}@@ | Type of the endpoint |
@@{endpoint.length}@@ | Number of IP Addresses in the endpoint |
@@{endpoint.index}@@ | Index of the IP address or VM in a given endpoint |
@@{endpoint.base_url}@@ | Base URL of the HTTP endpoint |
@@{endpoint.connection_timeout}@@ | Time interval in seconds after which the connection attempt to the endpoint stops |
@@{endpoint.retry_count}@@ | Number of attempts the system performs to create a task after each failure |
@@{endpoint.retry_interval}@@ | Time interval in seconds for each retry if the task fails |
@@{endpoint.tls_verify}@@ | Verification for the URL of the HTTP endpoint with a TLS certificate |
@@{endpoint.proxy_type}@@ | HTTP(s) proxy/SOCKS5 proxy to use |
@@{endpoint.base_urls}@@ | Base URLs of HTTP endpoints |
@@{endpoint.authentication_type}@@ | Authentication method to connect to an HTTP endpoint: Basic or None |
@@{endpoint.credential.username}@@ | User name in the credential to access the endpoint |
@@{endpoint.credential.secret}@@ | Credential secret type to access the endpoint: Passphrase or SSH Private Key |
Macro | Usage |
---|---|
@@{endpoint.name}@@ | Name of the endpoint |
@@{endpoint.type}@@ | Type of the endpoint |
@@{endpoint.length}@@ | Number of IP Addresses in the endpoint |
@@{endpoint.index}@@ | Index of the IP address or VM in a given endpoint |
@@{endpoint.address}@@ | IP address to access the endpoint device |
@@{endpoint.port}@@ | Port number to access the endpoint |
@@{endpoint.value_type}@@ | Target type of the endpoint: IP address or VM |
@@{endpoint.addresses}@@ | IP addresses to access endpoint devices |
@@{endpoint.credential.secret}@@ | Credential secret type to access the endpoint: Passphrase or SSH Private Key |
@@{endpoint.credential.username}@@ | User name in the credential to access the endpoint |
Macro | Usage |
---|---|
@@{endpoint.name}@@ | Name of the endpoint |
@@{endpoint.type}@@ | Type of the endpoint |
@@{endpoint.length}@@ | Number of IP Addresses in the endpoint |
@@{endpoint.index}@@ | Index of the IP address or VM in a given endpoint |
@@{endpoint.address}@@ | IP address to access the endpoint device |
@@{endpoint.port}@@ | Port number to access the endpoint |
@@{endpoint.value_type}@@ | Target type of the endpoint: IP address or VM |
@@{endpoint.connection_protocol}@@ | Connection protocol to access the endpoint: HTTP or HTTPS |
@@{endpoint.addresses}@@ | IP addresses to access endpoint devices |
@@{endpoint.credential.secret}@@ | Credential secret type to access the endpoint: Passphrase or SSH Private Key |
@@{endpoint.credential.username}@@ | User name in the credential to access the endpoint |
The following table lists the runbook macros.
Macro | Usage |
---|---|
@@{calm_runbook_name}@@ | Name of the runbook |
@@{calm_runbook_uuid}@@ | Universally unique identifier (UUID) of the runbook |
The following table lists the common properties of the virtual machine that are available for usage.
Properties | Usage |
---|---|
@@{address}@@ | IP address of the instance that is used by Calm to access the VM |
@@{id}@@ | ID of the platform identifier |
@@{name}@@ | Name of the VM or container |
@@{mac_address}@@ | Mac address of the VM |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
Macros provide a way to access the values of variables that you set on entities. Variables are either user defined or added to the entities by Calm. Variables are always present within the context of a Calm entity and are accessible directly in scripts running on that entity or any of its child entities.
The variable value of a parent entity can be accessed by the child entity unless the properties or the variables are overridden by another entity.
For example, if Variable1 is a variable that you defined on the application profile, then all child entity of the application profile can directly access the value of Variable1 in any task or script running on it as @@{variable1}@@ unless overridden by another entity.
Variables are directly accessed as @@{variable_name}@@ within any task on an entity where the variable is defined and all child entity that inherit this variable. This syntax only delivers the value for the corresponding replica in which the task is running. To get comma-separated values across replicas, you can use @@{calm_array_variable_name}@@ .
For example, on a service with 2 replicas, if you set a backup_dir variable through a set variable Escript task such as:
print "backup_dir=/tmp/backup_@@{calm_array_index}@@"
You get /tmp/backup_0 and /tmp/backup_1 values for replica 0 and 1 respectively.
When a task runs on this service with the echo "@@{backup_dir}@@" script, the script evaluates the following values in each replica of the service:
/tmp/backup_0
/tmp/backup_1
When you change the script to echo "@@{calm_array_backup_dir}@@" , the script evaluates to the following values in each replica of the service:
/tmp/backup_0,/tmp/backup_1
/tmp/backup_0,/tmp/backup_1
The syntax to access the value of variables or properties of other entities or dependencies is @@{<entity name>.<variable/attribute name>}@@ where entity name , is the name of the other entity or dependency and variable/attribute name is the name of the variable or attribute. For example:
Action-level variables are variables that are associated to an action and passed as an argument to the runlog when you run the action. Service action variables are unique for each service while the profile action variables are unique for each profile across all services and replicas. If you deploy five replicas, the service action variables will be the same across all replicas.
Action variables are used in the context of running an action and are defined at the action level. For example, if you have an action to install or uninstall a package on a particular VM, you can have the following action variables.
With multiple runs of this action, you can then install or uninstall multiple packages on the VM.
The following table lists the Nutanix variables that are available for usage.
Variables | Usage |
---|---|
@@{address}@@ | IP address of the instance that is used by Calm to access the VM |
@@{id}@@ | ID of the platform identifier |
@@{name}@@ | Name of the VM or container |
@@{mac_address}@@ | Mac address of the VM |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the built-in VMware macros that you can use to retrieve and display the entities.
Properties | Usage |
---|---|
@@{address}@@ | IP address of the instance that is used by Calm to access the VM |
@@{id}@@ | ID of the platform identifier |
@@{name}@@ | Name of the VM or container |
@@{mac_address}@@ | Mac address of the VM |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the built-in AWS macros that you can use to retrieve and display the entities.
Macros | Usage |
---|---|
@@{address}@@ |
IP address of the instance that is used by Calm to access the VM.
Note:
The
VM Name
field does not support this macro.
|
@@{id}@@ |
Internal ID of the instance that is used within the Prism.
Note:
The
VM Name
field does not support this macro.
|
@@{name}@@ |
Name of the VM.
Note:
The
VM Name
field does not support
this macro.
|
@@{aws_instance_id}@@ | Instance ID of AWS |
@@{private_ip_address}@@ | Private IP address |
@@{private_dns_name}@@ | Private DNS name |
@@{public_ip_address}@@ | Public IP address |
@@{public_dns_name}@@ | Public DNS name |
@@{vm_zone}@@ | AWS zone of instance |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the built-in GCP macros that you can use to retrieve and display the entities.
Macros | Usage |
---|---|
@@{address}@@
@@{ip_address}@@ @@{public_ip_address}@@ |
IP address of the instance that is used by Calm to access the VM.
Note:
The
VM Name
field does not support this macro.
|
@@{id}@@ |
Internal ID of the instance that is used within the Prism.
Note:
The
VM Name
field does not support this macro.
|
@@{name}@@ |
Name of the VM.
Note:
The
VM Name
field does not support
this macro.
|
@@{zone}@@ | Zone in which the VM instance is created. |
@@{platform_data}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
@@{internal_ips}@@ | List of all the private IP addresses. |
@@{external_ips}@@ | List of all the public IP addresses. |
The following table lists the built-in Azure macros that you can use to retrieve and display the entities.
Macros | Usage |
---|---|
@@{address}@@ |
IP address of the instance that is used by Calm to access the VM.
Note:
The
VM Name
field does not support this macro.
|
@@{id}@@ |
Internal ID of the instance that is used within the Prism.
Note:
The
VM Name
field does not support this macro.
|
@@{name}@@ |
Name of the VM.
Note:
The
VM Name
field does not support
this macro.
|
@@{private_ip_address}@@ | Private IP address |
@@{public_ip_address}@@ | Public IP address |
@@{resource_group}@@ | Resource group name in which the VM instance is created. |
@@{platform_data}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the Kubernetes variables that are available for usage.
Properties | Usage |
---|---|
@@{K8sPublishedService.address}@@ | IP address of the service. |
@@{K8sPublishedService.name}@@ | Name of the service. |
@@{K8sPublishedService.ingress}@@ | Load balancer IP for public service. |
@@{K8sPublishedService.platform}@@ | Platform data for the service. |
@@{K8sDeployement.name}@@ | Name of the deployment. |
@@{K8sDeployement.platform}@@ | Platform data for the deployment. |
Categories (or tags) are metadata labels that you assign to your cloud resources to categorize them for cost allocation, reporting, compliance, security, and so on. Each category is a combination of key and values.
Your providers impose a limit to the number of tags that you can use for cloud governance. The following table lists the category or tag limit imposed by each provider:
Providers | Category or Tag Limit |
---|---|
Nutanix | 30 |
AWS | 50 |
VMware | No limit |
GCP | 15 |
Azure | 15 |
Calm reserves 6 tags out of the total tags allowed by your provider and populates them automatically when you provision your VMs using Calm. For example, AWS allows a limit of 50 tags. When you provision your VM on AWS using Calm, 6 out of 50 tags are automatically populated with keys and values specific to Calm VM provisioning. You can use the remaining 46 tags to define other key-value pairs.
The following table lists the Calm-specific categories or tags and their availability for different providers:
Categories or Tags | Nutanix | AWS | VMware | GCP | Azure |
---|---|---|---|---|---|
account_uuid | X | X | X | X | |
CalmApplication | X | X | X | X | X |
CalmService | X | X | X | X | X |
CalmUsername | X | X | X | X | X |
Calm Project | X | X | X | X | |
OSType | X | X | X | X | X |
A single-VM blueprint is a framework that you can use to create and provision an instance and launch applications that require only one virtual machine.
Single-VM blueprints enable you to quickly provide Infrastructure-as-a-Service (IaaS) to your end users.
You can create single-VM blueprints with your Nutanix, VMware, AWS, GCP, or Azure accounts. Use these steps to create a single-VM blueprint with any of your provider accounts.
Perform the following steps to do the preliminary setup of your single-VM blueprint.
Perform the following steps to add VM details to your blueprint.
Configuring the VM in your blueprint is specific to the provider account and the operating system you select for your blueprint. You can configure the VM in a blueprint with Nutanix, VMware, AWS, GCP, or Azure accounts.
Perform the following steps to configure the VM in a single-VM blueprint for your Nutanix account.
vm-@@{calm_time}@@
. For more information on Calm macros,
see Macros Overview.
Perform the following steps to configure the VM in a single-VM blueprint for your VMware account.
Templates allow you to create multiple virtual machines with the same characteristics, such as resources allocated to CPU and memory or the type of virtual hardware. Templates save time and avoid errors when configuring settings and other parameters to create VMs. The VM template retrieves the list options from the configured vCenter.
For more information, refer to VMware KB articles.
A content library stores and manages content (VMs, vApp templates, and other types of files) in the form of library items. A single library item can consist of one file or multiple files. For more information about the vCenter content library, see the VMware Documentation .
Perform the following steps to configure the VM in a single-VM blueprint for your GCP account.
Perform the following steps to configure the VM in a single-VM blueprint for your AWS account.
Perform the following steps to configure the VM in a single-VM blueprint for your Azure account.
The Resource Group list displays the resource groups that are associated with the subscriptions you selected in your Azure account. In case you have not selected any subscriptions, Calm considers all the subscriptions that are available in the Azure service principal to display the resource groups. Each resource group in the list also displays the associated subscription.
Perform the following steps to configure the VM in a single-VM blueprint for your Xi Cloud account.
vm-@@{calm_time}@@
. For more information on Calm macros,
see Macros Overview.
Xi Infrastructure Service Admininistration
Guide
.
Perform the following steps to configure advanced options such as credentials, packages, pre-create and post-delete tasks. Configuring advanced options is optional for a blueprint.
Perform the following steps to configure pre-create task, post-delete task, install package, or uninstall package in a single-VM blueprint.
Perform the following steps to configure application variables in your blueprint.
[
{
"display": "HTML Tutorial",
"url": "https://www.w3schools.com/html/default.asp"
},
{
"display": "CSS Tutorial",
"url": "https://www.w3schools.com/css/default.asp"
},
{
"display": "JavaScript Tutorial",
"url": "https://www.w3schools.com/js/default.asp"
},
{
"display": "jQuery Tutorial",
"url": "https://www.w3schools.com/jquery/default.asp"
},
{
"display": "SQL Tutorial",
"url": "https://www.w3schools.com/sql/default.asp"
},
{
"display": "PHP Tutorial",
"url": "https://www.w3schools.com/php/default.asp"
},
{
"display": "XML Tutorial",
"url": "https://www.w3schools.com/xml/default.asp"
}
]
Then,
during the launch time the list options are ["HTML Tutorial","CSS
Tutorial","JavaScript Tutorial","jQuery Tutorial","SQL Tutorial","PHP
Tutorial","XML Tutorial"].
A multi-VM blueprint is a framework that you can use to create an instance, provision, and launch applications that require multiple VMs.
In a Multi-VM blueprint, you can define the underlying infrastructure of the VMs, application details, and actions that are carried out on a blueprint until the termination of the application.
Services are the virtual machine instances, existing machines or bare-metal machines, that you can provision and configure by using Calm. A service exposes the IP address and ports on which the request is received. You can either provision a single-service instance or multiple services based on the topology of your application.
For more information about services in Calm, see Services Overview.
You can define and configure the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application for a service provider.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on a Nutanix platform.
vm-@@{calm_array_index}@@-@@{calm_time}@@
. For more
information on Calm macros, see Macros Overview.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on an AWS platform.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on a VMware platform.
Templates allow you to create multiple virtual machines with the same characteristics, such as resources allocated to CPU and memory or the type of virtual hardware. Templates save time and avoid errors when configuring settings and other parameters to create VMs. The VM template retrieves the list options from the configured vCenter.
For more information, refer to VMware KB articles.
A content library stores and manages content (VMs, vApp templates, and other types of files) in the form of library items. A single library item can consist of one file or multiple files. For more information about the vCenter content library, see the VMware Documentation .
To know the supported VMware guest tools versions, see the
VMware Product Interoperability Matrices .
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on a GCP platform.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on an Azure platform.
The Resource Group list displays the resource groups that are associated with the subscriptions you selected in your Azure account. In case you have not selected any subscriptions, Calm considers all the subscriptions that are available in the Azure service principal to display the resource groups. Each resource group in the list also displays the associated subscription.
For Windows VMs, the Store field specifies the certificate store on the virtual machine to which the certificate is added. The specified certificate store is implicitly created in the LocalMachine account.
For Linux VMs, the certificate file is placed under the /var/lib/waagent directory. The format of the file name is <UppercaseThumbprint>.crt for the X509 certificate and <UppercaseThumbpring>.prv for private key. Both of these files are .pem formatted.
The following section describes Azure troubleshooting.
/home/calm/log/styx.log
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on Xi cloud provider.
Xi Infrastructure Service Admininistration
Guide.
Perform the following procedure to configure Kubernetes Deployment, Containers, and Service.
A Pod is the basic execution unit of a Kubernetes application and the smallest and simplest unit in the Kubernetes object model that you create or deploy. A Pod represents processes running on your cluster.
Labels are key/value pairs that are attached to objects, such as pods. You can use Labels to specify identifying attributes of objects that are meaningful and relevant to users, but do not directly imply semantics to the core system. You can also use Labels to organize and to select subsets of objects. You can attach Labels to objects either at the creation time or later. Each object can have a set of key/value labels defined. Each key must be unique for a given object.
NodePort
). A
ClusterIP
Service, to which the
NodePort
Service routes, is automatically created.
You'll be able to contact the
NodePort
Service, from
outside the cluster, by requesting
<NodeIP>:<NodePort>
.
NodePort
and
ClusterIP
Services, to which the external load
balancer routes, are automatically created.
Labels are key/value pairs that are attached to objects, such as pods. You can use Labels to specify identifying attributes of objects that are meaningful and relevant, but do not directly imply semantics to the core system. You can also use Labels to organize and select subsets of objects. You can attach Labels to objects at creation time and add or modify at any time. Each object can have a set of key/value labels defined. Each key must be unique for a given object.
Dependencies are used to define the order in which tasks must get executed. Perform the following procedure to set up the service dependency.
An application profile provides different combinations of the service, package, and VM while configuring a blueprint. You configure application profiles and use them while launching a blueprint.
[
{
"display": "HTML Tutorial",
"url": "https://www.w3schools.com/html/default.asp"
},
{
"display": "CSS Tutorial",
"url": "https://www.w3schools.com/css/default.asp"
},
{
"display": "JavaScript Tutorial",
"url": "https://www.w3schools.com/js/default.asp"
},
{
"display": "jQuery Tutorial",
"url": "https://www.w3schools.com/jquery/default.asp"
},
{
"display": "SQL Tutorial",
"url": "https://www.w3schools.com/sql/default.asp"
},
{
"display": "PHP Tutorial",
"url": "https://www.w3schools.com/php/default.asp"
},
{
"display": "XML Tutorial",
"url": "https://www.w3schools.com/xml/default.asp"
}
]
Then,
during the launch time the list options are ["HTML Tutorial","CSS
Tutorial","JavaScript Tutorial","jQuery Tutorial","SQL Tutorial","PHP
Tutorial","XML Tutorial"].
Blueprint configuration involves adding tasks, actions, snapshot and restore configurations, and VM update configurations.
Perform the following procedure to configure a blueprint.
Credentials are used to authenticate a user to access various services in Calm. Calm supports static and dynamic credentials with key-based and password-based authentication methods.
You configure a check log-in task to check whether you are able to SSH into the VM you create. Perform the following steps to configure check log-in.
You can either select the public IP address or private IP address of a NIC.
Delay timer defines the time period when the check login script is run after the VM starts. It allows you to configure the delay time to allow guest customization script, IP, and all other services to come up before running the check login script.
Tasks are part of your deployment creation process and are run one after the other. The tasks are used to perform a variety of operations such as setting up your environment, installing a set of software on your service, and so on.
You have the following basic types of tasks.
Pre-create tasks are actions that are performed before a service is provisioned in a blueprint. For example, if you want to assign static IP addresses to your VMs by using IPAM service, you can create and run a pre-create task to receive the IP addresses before the service is provisioned. The pre-create task helps to restrict the broadcast traffic to receive the IP addresses for those VMs during the service provision.
Post-delete tasks are actions that are performed after you delete a service in a blueprint. For example, if you want to delete the assigned IP addresses from your VMs, you can add a post-delete task to delete the IP addresses after the service is deleted. The post-delete task helps to restrict the broadcast traffic to delete the IP addresses for those VMs during the service provision.
You can create the Execute task type to run scripts on the VM.
eScripts
, see Supported eScript Modules and Functions.
For sample
Powershell
scripts, see Sample Powershell Script.
You can create a Set Variable task type to change variables in a blueprint.
Escripts
, see Supported eScript Modules and Functions.
For sample
Powershell
scripts, see Sample Powershell Script.
You can create an HTTP task type to query REST calls from a URL. An HTTP task supports GET, PUT, POST, and DELETE methods.
You can create a Delay task type to set a time interval between two tasks or actions.
Pre-create tasks are actions that are performed before a service is provisioned in a blueprint. Post-delete tasks are actions that are performed after you delete a service in a blueprint.
Actions are flows to accomplish a particular task on your application. You can use actions to automate any process such as backup, upgrade, new user creation, or clean-up and enforce an order of operations across services.
You can categorize actions into the following types.
Type | Description |
---|---|
Profile Actions |
Application Profile Actions are a set of operations that you can run on your
application. For example, when you launch a blueprint, the Create action is run. When
you do not need the application for a period of time, you can run the Stop action to
gracefully stop your application. When you are ready to resume your work, you can run
Start action to bring the application back to the running state.
You have the following types of profile actions.
|
Service Actions |
Service Actions are a set of operations that are run on an individual service.
These actions cannot be run directly by the application user but can be run indirectly
using either a profile actions or a package install or uninstall operation.
Services span application profiles. For example, if you create a service action in the AHV profile, the same service action is available in the AWS profile as well. You have the following types of service actions.
|
The following are the most common custom actions that developers add to their blueprints:
Custom Action | Description |
---|---|
Scale In |
The scale-in functionality enables you to decrease the number of replicas of a
service deployment. The number of instances to be removed from a service for each
scale-in action is defined in the blueprint while configuring the task in the
profile level action.
The scale count number must be less than or equals to the minimum number of replicas defined for the service. The VM that is created last is deleted first. For information on how to configure scale in, see Adding and Configuring Scale Out and Scale In. |
Scale Out |
The scale out functionality enables you to increase the number of replicas of a
service deployment. The number of instances to be added to a service for each
scale-out action is defined in the blueprint while configuring the task in the
profile level action.
The scale count number must be less than or equals to the maximum number of replicas defined for the service. For information on how to configure scale out, see Adding and Configuring Scale Out and Scale In. |
For information about how to create an action, see Adding an Action to a Multi-VM Blueprint and Adding an Action to a Single-VM Blueprint.
An action is a set of operations that you can run on your application that are created as a result of running a blueprint.
An action is a set of operations that you can run on your application that are created as a result of running a blueprint.
Perform the following procedure to add and configure the Scale Out and Scale In task.
The snapshot and restore feature allows you to create a snapshot of a virtual machine at a particular point in time and restore from the snapshot to recreate the application VM from that time. You can configure snapshot and restore for both single-VM and multi-VM applications on a Nutanix platform. All you need to do is to add the snapshot/restore configuration to the blueprint. Adding the configuration generates separate profile actions for snapshot and restore to which you can add further tasks and actions.
For VMware, AWS, and Azure platforms, the snapshot and restore feature is available by default only to the single-VM applications.
For more information on blueprint configuration for snapshots, see Configuring Single-VM Blueprints with Nutanix for Snapshots and Configuring Multi-VM Blueprints on Nutanix for Snapshots.
The snapshot/restore action for single-VM applications with Nutanix is no longer available by default. To enable snapshot, you must add a snapshot/restore configuration to the single-VM blueprint. You can configure to create snapshots locally or on a remote cluster. Snapshot and restore is a paired action in a blueprint and are always managed together.
The snapshot/restore configuration generates separate application profile actions for snapshot and restore. These actions also allow you to add more tasks and actions as part of the snapshot and restore configuration. For example, shutting down the application and the VM before creating the snapshot or restarting the VM before a restore. You can access these actions from the Manage tab of the Applications page.
snapshot-@@{calm_array_index}@@-@@{calm_time}@@
.
You can configure the snapshot/restore action in a blueprint on Nutanix account to create snapshots locally or on a remote cluster. Snapshot/restore is a paired action for a particular service in a blueprint and are always managed together.
The snapshot/restore definition of a service generates snapshot configuration and its corresponding restore configuration. You can use these configurations to modify your snapshot and restore setup.
The snapshot/restore configuration generates separate application profile actions for snapshot and restore. These actions allow you to add more tasks and actions as part of the snapshot and restore configuration. For example, shutting down the application and the VM before creating the snapshot or restarting the VM or services before a restore. You can access these actions from the Manage tab of the Applications page to create or restore snapshots.
snapshot-@@{calm_array_index}@@-@@{calm_time}@@
.
The update configuration feature allows you to update virtual machines of running applications on Nutanix to a higher or lower configuration. Using this feature, you can modify VM specifications such as the vCPU, memory, disks, networking, or categories (tags) of a running application with minimal downtime. You no longer have to create new blueprints or approach your IT administrator to modify VM resources.
To update configurations of a running application VM, you need to perform the following actions:
As a blueprint developer, you can add update configurations for a service in the blueprint. These update configurations are at the parallel level of application profile actions and can be executed individually for a particular service. As part of the configuration, you can do the following:
For example, consider a case where the original vCPU value in the blueprint is 4. You then add a change factor to the update configuration to increase the vCPU by 1 with a maximum limit of 5. When this update is launched, you can run the action only once to increase the vCPU to 5. Once the VM is upgraded to 5 vCPU, you cannot add any more vCPUs to the VM.
The update configuration generates the corresponding action where you can add tasks to define how you want to execute the update.
For more information about adding update configuration to a blueprint, see Adding an Update Configuration to Single-VM Blueprints and Adding an Update Configuration to Multi-VM Blueprints.
You can update VM specifications from the Manage tab of applications on Nutanix. For more information, see Update VM Configurations of Running Applications.
As a blueprint developer, you can add an update configuration to a single-VM application blueprint.
The update configuration feature allows you to update the virtual machine of a running single-VM application to a higher or lower configuration. For more information, see Update Configuration for VM.
As a blueprint developer, you can add an update configuration for a service to a multi-VM application blueprint.
The update configuration feature allows you to update virtual machines of running multi-VM applications to a higher or lower configuration. For more information, see Update Configuration for VM.
After you configure a blueprint, you can publish, unpublish, launch, or delete a blueprint.
Publishing a blueprint allows you to make the blueprint available at Marketplace, so that other users can use the published blueprint. Unpublishing a blueprint allows you to remove the blueprint from the Marketplace. For more information, see Submitting a Blueprint for Approval.
Launching a blueprint allows you to deploy your application on the blueprint and start using it.
The blueprint launch page provides the following views:
Blueprints that are launched from the marketplace display only the fields that require inputs from consumers. Displaying only editable fields offers a simpler and easy launching experience for your consumers.
You can switch to View as Developer after you develop your blueprints to verify how you configured different fields and the launching experience the configuration will provide to your consumers.
For more information, see Launching a Blueprint.
After you configure a blueprint, you can submit the blueprint to get an approval from the administrator. The administrator approves the blueprint and then publishes the blueprint at the marketplace for consumption.
You launch a blueprint to deploy an application on the blueprint and start using the application.
If the validation is successful, the application is available under the Application tab.
When you enter the platform data that is invalid for a provider while creating a blueprint, you get a validation error. The following table details the invalid platform data for each provider.
Providers | Invalid Platform Data |
Nutanix | Image, NIC List, and Categories. |
GCP | Machine Type, Disk Type, Network, SubNetwork, Source, Image, Zone, and Blank Disk. |
AWS | Vpc, Security Groups, and Subnets. |
VMware | Network name, NIC Type, NIC settings mismatch, Host, Template, Datastore, Datacenter, Storage Pod, and cluster. |
Azure | Image details (publisher, offer, sku, version), Custom image, Resource group, Availability Set Id, NIC List, Network Security group, Virtual Network Name, and Subnet Name. |
The platform validation error message appears as displayed in the following image.
You can also upload configured blueprints to the Blueprints tab. Perform the following procedure to upload a blueprint.
You can also download a configured blueprint to your local machine and use it later. Perform the following procedure to download a blueprint.
Perform the following procedure to view a blueprint.
You can edit a configured blueprint from the blueprints tab. Perform the following procedure to edit a blueprint.
Perform the following procedure to delete a blueprint.
If you have configured wrong details in your blueprint, you can view the error message while saving or publishing a blueprint. Perform the following procedure to view blueprint error message.
You can recover the deleted application blueprints within a time period of 90 days after you delete an application blueprint. This chapter describes the procedure to recover a deleted blueprint.
The marketplace provides preconfigured application blueprints and runbooks for instant consumption. The marketplace is a common platform for both publishers and consumers.
The marketplace has banners to display featured applications. All listed applications display the icon of the platform that supports the application.
You can filter applications or runbooks based on their category and source. You can also search an application or runbook in the marketplace.
Before provisioning an application, you can view details such as application overview, changes made in different versions, and application-level actions.
You can view application details such as licensing, installed resources, hardware requirements, operating systems, platforms, and limitations before you provision the application. You can also view the changes made in different versions and application-level actions.
Perform the following procedure to filter application blueprints or runbooks in the marketplace.
Perform the following procedure to search an application blueprint or runbook.
You can use the Marketplace tab to launch an application blueprint that is approved and published to the marketplace. The application launch page displays the fields that are editable by the consumer.
Following are the rules for naming convention.
VM configurations in blueprints and environments are associated with accounts. The environment patching depends on the account that you associate with the marketplace blueprint and the environment you configured.
To patch a cloud provider VM that has a specific OS type, Calm finds the corresponding match in the environment. In case there are no matches available, Calm displays a notification.
The following table lists the environment patching behavior for platform-dependent and platform-independent fields:
Fields | Condition | Patching Behavior |
---|---|---|
Platform-Dependent Fields | When different accounts are associated with the blueprint and environment | Values from the environment get preference for patching, irrespective of the values in the blueprint. |
Platform-Dependent Fields | When the blueprint and the environment have the same account | Values from the environment are patched only when the fields do not have any value in the blueprint. |
Platform-Independent Fields | When different accounts are associated with the blueprint and environment | Values from the environment are patched only when the fields do not have any value in the blueprint. |
Platform-Independent Fields | When the blueprint and the environment have the same account | Values from the environment are patched only when the fields do not have any value in the blueprint. |
The following table lists the platform-dependent fields for different platforms.
Platform | Platform-Dependent Fields |
---|---|
Nutanix | Image, Categories, Cluster, and NIC |
AWS | Machine Image, Key, Instance Profile Name, VPC ID, Subnet ID, and Security Group List |
GCP | Machine Type, Zone, Network, Disk Type, Source Image, and Email |
VMware | Host, Template, Datastore, Cluster, Storage Pod, Network Name, NIC Type, Disk Location, Disk ISO Path, Folder, and Tag List |
Azure | Resource Group, Location, Availability Set ID, Resource Group Details, Resource Group Operation, Network Security Group Name, Network Name, Subnet Name, Network Security Group ID, Virtual Network ID, Subnet ID, Publisher, Offer, SKU, Version, Source Image Type, and Source Image ID |
Assume that you have two Nutanix Prism Central accounts PC1 and PC2, and you added these accounts to your project (Project1). You then create two environments in the project with the following VM configuration:
ENV1 | ENV2 |
---|---|
|
|
You then create a blueprint with a Nutanix service under Project1 having the following configuration:
When you publish this blueprint in the marketplace and launch the blueprint with a different environment, the environment patching happens as follows:
Because different accounts are associated with the blueprint and environment, all platform-dependent field values are patched from the environment to the blueprint, irrespective of the values already available in the blueprint. The blueprint is launched with the following configuration.
Because the account is same for both blueprint and environment and all the platform-dependent fields already have values, the patching does not happen. The blueprint is launched with the following configuration.
Assume that you have a Prism Central account PC1 that is associated with two Prism Elements PE1 and PE2, and you add PC1 to your project (Project1).
Assume that the associated Prism Elements have the following networks.
You then create two environments with the following VM configuration:
ENV1 | ENV2 |
---|---|
|
|
You then create a blueprint with a Nutanix service under Project1 having the following configuration:
When you publish this blueprint in the marketplace and launch the blueprint with a different environment, the environment patching happens as follows:
Prism Element accounts are derived from the NIC or subnet. The PE1_Net2 network used in the blueprint associates the blueprint to Prism Element PE1, and the PE2_Net1 network used in ENV2 associates the environment to Prism Element PE2.
Because these two networks are connected to two
different Prism Element
account_uuid
, Calm considers this case as two
different accounts associated with the blueprint and environment. All platform-dependent
field values are, therefore, patched from the environment to the blueprint, irrespective
of the values already available in the blueprint. The blueprint is launched with the
following configuration.
The PE1_Net2 network used in the blueprint and the PE1_Net1 network used in ENV belong to the same Prism Element account.
Because these two networks share the same Prism Element
account_uuid
, Calm considers this case as the same account associated
with both the blueprint and environment. Platform-dependent fields in this case already
have values, and the patching does not happen. The blueprint is launched with the
following configuration.
Patching of credentials happens only when you publish your blueprints in the marketplace without secrets.
For patching, the credentials of the marketplace blueprint are mapped with the environment using the associated provider account and operating system type. The password or the key value of the corresponding environment is then patched to the blueprint. The credential name and the credential username are never patched from the environment.
For example, if the blueprint and the environment have the following configurations:
Blueprint | Environment |
---|---|
|
|
The credentials patching in the blueprint happens as follows:
When Blueprint is Published with Secrets | When Blueprint is Published without Secrets |
---|---|
|
|
The Cluster field is platform dependent. The environment patching logic of a platform-dependent field depends on the account that you associate with the marketplace item and the VM configuration of the environment.
Condition | Patching Behavior |
---|---|
When the cluster reference in the blueprint and in the environment VM configuration is the same. | No patching happens. The cluster reference from the blueprint is used for the launch. |
When the cluster reference in the blueprint and in the environment VM configuration is different. | Patching happens. The cluster value is patched from the environment for the launch. |
When the cluster reference in the blueprint is a macro.
Note:
Cluster reference
can be a macro only when all the subnets are overlay subnets or all the subnets are
macros.
|
No patching happens. The cluster value will remain as a macro.
When the reference is a macro, it is independent of the environment or the account that is being used for launch. |
VLAN subnets are platform dependent. The environment patching logic of VLAN subnets depends on the cluster reference of the blueprint and the cluster reference of the associated environment VM configuration.
Overlay subnets are VPC dependent. The environment patching logic of these subnets depends on the VPC reference in the blueprint and the VPC reference of the associated environment VM configuration.
All subnets in the substrate of a blueprint can either have overlay subnets or VLAN subnets. If subnets are overlay subnets, then all the subnets in the substrate must belong to the same VPC.
Condition | Patching Behavior |
---|---|
When the VLAN subnets in the blueprint and in the environment VM configuration is the same. | No patching happens. VLAN subnets are platform dependent. The VLAN subnet values referred in the blueprint are used. |
When the VLAN subnets in the blueprint and in the environment VM configuration is different. | Patching happens. VLAN subnets are platform dependent. The VLAN subnet values are patched from the environment. |
When the VPC reference of the subnets (overlay subnets) in the blueprint and the environment VM configuration is the same. |
No patching happens. The subnet values of the blueprint are used for the
launch.
Values from the environment is patched only if it is empty in the blueprint or not allowed in the destination environment. |
When the VPC reference of the subnets (overlay subnets) in the blueprint and the environment VM configuration is different. | Patching happens. The subnet values are patched directly from the environment. |
When the network type in the blueprint and the environment VM configuration are different (for example, overlay subnets in the blueprint and VLAN subnets in the environment). | Patching happens. The subnet values are patched directly from the environment. |
When the subnet reference of the any of the NICs in the blueprint is a macro. | Patching follows the usual conditions. However, the macros are never patched. |
You can execute a runbook an approved and published runbook using the Marketplace tab.
You can clone an application blueprint or runbook from the marketplace.
Use Marketplace Manager to manage the list of custom blueprints, ready-to-use marketplace application blueprints, and runbooks. You can approve, reject, launch, publish, unpublish, assign a category, and select projects for a blueprint. You can also approve, reject, publish, unpublish, and execute runbooks.
The Approved tab on the Marketplace Manager page provide you a list of ready-to-use application blueprints and the custom blueprints or runbooks you approved. The Approval Pending tab provides a list of custom blueprints and runbooks that require your approval to be available in the Marketplace for consumption.
When you select a blueprint or runbook from the list on any tab, the inspector panel displays the operations you can perform on the selected blueprint or runbook. The inspector panel also displays a brief overview of the blueprint or runbook and allows you to assign projects to blueprint or runbook.
You can perform the following actions on blueprints or runbooks.
Marketplace version enables you to define the initial version number of the blueprint or runbook that is getting published to the marketplace. Marketplace version also enables you to revise the version of a blueprint or runbook that is already published to the marketplace. For information about how to define marketplace version, see Submitting a Blueprint for Approval or Submitting a Runbook for Publishing.
You can approve custom blueprints or runbooks that are submitted for approval on the Approval Pending tab. You can also publish the approved blueprints or runbooks to the marketplace after associating them with a project on the Approved tab.
The Approved tab also displays the ready-to-use application blueprints that are available after enabling the Nutanix Marketplace Apps toggle button on the Settings page. These application blueprints do not require approval and can be published directly to the marketplace after associating them with a project. For more information about enabling the ready-to-use applications, see Enabling Nutanix Marketplace Applications.
You can unpublish a blueprint or runbook if you do not want to list it in the Marketplace. You can publish the blueprint or runbook again if required.
You can delete a blueprint or runbook that is not published in the marketplace. If you want to delete a published blueprint or runbook, you first have to unpublish it and then delete it.
You create applications in Calm by creating and launching blueprints.
The Applications page displays the list of all published applications under the Applications tab and the list of brownfield applications under the Brownfield Applications tab.
The Applications page provides the following details about an application.
You have the following application-level actions.
You cannot perform the Create action after the blueprint is launched and the application is created. You can perform all other application-level actions according to the application state.
You can also perform advanced application actions such as creating or restoring snapshots, updating VM configuration, or cloning an application. See the Advanced Application Actions chapter in this guide for details.
The applications page displays the state of the application based on the actions you perform on the Manage tab.
Application State | Description |
---|---|
Provisioning | When you start an application. |
Running | When the application is deployed and running after the provisioning state. |
Stopping | When you have initiated an operation to stop the application. |
Stopped | When the application is stopped. |
Restarting | When you have initiated an operation to restart the application after the application is stopped. |
Deleting | When you have initiated an operation to delete the application. |
Deleted | When the application is deleted. |
Busy | When you have installed the NGT services on the VMs of an application. |
Updating | When you are editing an application. |
Error | When the application goes to error state due to any action you have performed in the Manage tab. |
Failover-in-progress | When you have initiated a failover operation on Prism Central for the protected VMs of an application. |
Failover-failed |
When the failover operation for the VMs has failed. The failure state mainly
occurs in the following conditions.
|
You can click an application name to get details about the application as shown in the following figure.
The application page consists of the following tabs.
The Overview tab consists of the following panels.
Panel | Description |
---|---|
Application Description | Displays the application description. |
Variables | Displays the variable list used to create the blueprint. You can click the copy icon next to the variable to copy the variable. |
Cost Summary |
Displays the total cost, current cost for each hour, and the cost incurred in a
month for the resources that are running in the blueprint. The cost summary panel also
displays a graphical representation of the incurred cost.
Note:
The
Cost
Summary
panel is applicable for Nutanix and VMware
providers.
|
App Summary |
Displays the following application details.
|
App Status |
Displays the summary of virtual machines (VMs). The panel displays the number of
VMs that are in the following state.
|
VM info |
Displays the following VM details of the application.
|
The Manage tab lists the system-generated and user-created actions that you can perform on the application. When you click any of the listed actions, the editor displays the action dependencies.
You can perform the following system-generated actions on an application.
Nutanix guest tools (NGT) is a software bundle that you can install in a guest virtual machine (Microsoft Windows or Linux) to enable the advanced functionalities provided by Nutanix. For more information on NGT, see the Nutanix Guest Tool section in the Prism Web Console Guide .
The inspector panel also displays the action you perform on an application. To view the detailed course of the action, click Action .
The Metrics tab allows you to view performance metrics of the VM. The Metrics tab displays a section on the left with a list of metrics.
The following table describes the available metrics.
Metric | Description |
---|---|
CPU usage | Displays the percentage of CPU capacity currently the VM is using (0–100%). |
CPU ready Time | Displays the current, high, and low percentage of CPU ready time (0–100%). |
Memory usage | Displays the percentage of memory capacity currently the VM is using (0–100%). |
I/O Bandwidth | Displays separate graphs for total, write (only), and read (only) I/O bandwidth used per second (Mbps or KBps) for physical disk requests by the VM. |
I/O Latency | Displays separate graphs for total, write, and read average I/O latency (in milliseconds) for physical disk requests by the VM. |
IOPS | Displays separate graphs for total, write, and read I/O operations per second (IOPS) for the VM. |
Usage | Displays separate graphs for current, snapshot, and shared storage usage (in GiBs) by the VM. |
Working set size | Displays separate graphs for total, write, and read storage usage (in GiBs) for the VM working set size. |
Network packets dropped | Displays separate graphs for the number of transmitted and received packets dropped. |
Network bytes | Displays separate graphs for the amount of transmitted and received bytes (in GiBs). |
The Recovery Points tab allows you to view the captured snapshots, restore applications from snapshots, and delete the snapshots for an application.
The Recovery Points tab applies only to single VM blueprints running with Nutanix as the provider.
To create snapshots of the single-VM or multi-VM applications that are running on Nutanix platform, use the snapshot action on the Manage tab of the application.
Fields | Description |
---|---|
Name | Displays the name of the snapshots. |
Creation Time | Displays the date and time of the snapshot creation. |
Location | Displays the location where the snapshot was taken. |
Expiration Time | Displays the expiration time of the snapshot. |
Recovery Point Type | Displays whether the snapshot type is application-consistent or crash-consistent. |
The Snapshot tab allows you to view the captured snapshots, restore applications from snapshots, and delete the snapshots for an application. Use this tab to create snapshots of single-VM applications that are running on VMware or Azure.
Fields | Description |
---|---|
ID | Displays the ID of the snapshots. Snapshot IDs are unique and automatically generated when you take a snapshot. |
Name | Displays the name of the snapshot. |
Description | Displays the description of the snapshot. |
Parent | Displays the parent blueprint application from which the snapshot is taken. |
Creation Time | Displays the date and time when the snapshot is taken. |
The AMIs tab allows you to view the captured snapshots, restore applications from snapshots, and delete the snapshots for an application.
Fields | Description |
---|---|
ID | Displays the ID of the snapshots. Snapshot IDs are unique and automatically generated when you take a snapshot. |
Name | Displays the name of the snapshot. |
Description | Displays the description of the snapshot. |
Creation Time | Displays the date and time when the snapshot is taken. |
Perform the following procedure to run shell commands on a web SSH console for a service.
The Audit tab lists the action or actions that are performed on an application as displayed in the following figure. To view the detailed course of the action, click action.
Brownfield applications are created to manage existing VMs that are currently not managed by Calm. To create a brownfield application, Calm must communicate with the VMs that are not managed by Calm. After the application is created, the application runs like any other Calm application.
The following are the key points you must consider before you create a brownfield application.
In Calm, the update configuration is stored as a single element per service and applicable from the first VM instance. When you select multiple VMs with different configurations in a service and update the configuration, the update configuration applies to the first VM instance. The same configuration is then followed for all the remaining VM instances.
Let’s say you selected VM1 and VM2 for the service with a RAM of 4 GB and 8 GB respectively. If you define the update configuration to increase the RAM by 1 GB and run the action, the update applies to VM1 to increase the RAM to 5 GB. The same configuration is then followed for VM2 to change the RAM from 8 GB to 5 GB causing undesirable results in both the update configuration and quota utilization checks.
For information on how to create a brownfield application, see Creating Brownfield Application.
Brownfield applications are created to manage existing VMs that are currently not managed by Calm. Perform the following procedure to create brownfield application.
You must launch the configured brownfield applications to be managed by Calm.
Nutanix Guest Tools (NGT) is a software bundle that you can install in a guest
virtual machine (Microsoft Windows or Linux) to enable the advanced functionality provided
by Nutanix. For more information about NGT, see the
Prism Central
Guide
. Perform the following procedure to install NGT services on your
VM. NGT services are only applicable for AHV clusters.
After you install NGT service on a VM, you can either enable or disable VSS and SSR
services by using the
Manage NGT Apps
play button. To know more VSS
and SSR services, see the
Nutanix Guest Tools
section in the
Prism Web Console Guide
.
If you do not want to recover application details after the host VM becomes unavailable, uninstall the NGT application. Perform the following procedure to uninstall NGT services for your application.
A snapshot preserves the state and data of an application virtual machine at a specific point in time. You can create a snapshot of a virtual machine at a particular point in time and restore from the snapshot to recreate the application from that time.
On a Nutanix platform, you can use the snapshot and restore feature in both single-VM and multi-VM applications. On VMware, AWS, and Azure platforms, you can use the snapshot and restore feature only in a single-VM application.
While the snapshot and restore feature is available by default for VMware, AWS, and Azure platforms, you need to add the snapshot/restore configuration to the single-VM or multi-VM blueprint on Nutanix. Adding the configuration to the blueprint generates separate profile actions for snapshot and restore. For more information, see Configuring Single-VM Blueprints with Nutanix for Snapshots and Configuring Multi-VM Blueprints on Nutanix for Snapshots.
Snapshot and restore of an application VM that runs on a Nutanix platform involves the following configurations and actions:
As a project admin, you define snapshot policies in a project. Snapshot policies help you define rules for taking snapshots of application VM. The policy determines the overall intent of the snapshot creation process and the duration of managing those snapshots. You can configure your snapshot policy to manage your snapshots on a local cluster, on a remote cluster, or both.
Remote snapshots are particularly useful when your Prism Central has a computer-intensive cluster managing workloads and a storage-intensive cluster managing your data, snapshots, and so on.
For more information about creating a snapshot policy, see Creating a Snapshot Policy.
You define snapshot and restore configuration for each service in a blueprint. You can configure the service to create snapshots locally or on a remote cluster. In case your multi-VM blueprint has multiple replicas of the service, you can configure the action to take snapshot only for the first replica or the entire replica set.
The snapshot/restore definition of a service generates the snapshot configuration and its corresponding restore configuration. You can use these configurations to modify your snapshot and restore setup. The snapshot/restore definition also generates application profile actions that you can use to create or restore snapshots. You can add more tasks and actions as part of your snapshot and restore to define actions you might want to take on your services. For example, shutting down the application and the VM before taking the snapshot or restarting the VM or services before a restore.
For more information on snapshot and restore configuration, see Blueprint Configuration for Snapshots and Restore.
You associate a policy defined in a project when you launch the application. Depending on the snapshot configuration that you provide in the blueprint, you can select the policy and the cluster in which the snapshot will be stored.
If you defined remote snapshot in the blueprint, then you can view all the policies that allow you to take a remote snapshot. You can select a policy and the corresponding clusters before you launch the application.
For more information, see Launching a Blueprint.
Like other profile actions, the profile actions for snapshot and restore appear on the Manage tab of an application. The snapshots created are listed under the Recovery Points tab of the application. When you create multiple snapshots as part of one action, they appear as a snapshot group. You can expand the group to view the snapshots, their corresponding services, and location. For more information, see Creating Snapshots on a Nutanix Platform.
Restore follows the same configuration that the snapshot has. To restore, you specify the variables and select applicable recovery points depending on the VM. For more information, see Restoring VM Details from Snapshots on a Nutanix Platform.
Perform the following procedure to create application-consistent or crash-consistent snapshots. Application-consistent or crash-consistent snapshots are used to capture and recover all of the VM and application level details. Application-consistent snapshots can also capture all data stored in the memory and transactions in process.
snapshot-@@{calm_array_index}@@-@@{calm_time}@@
.
Nutanix Guest
Tools
section in the
Prism Web
Console Guide
.
You can restore the VM details of an application after the host VM becomes unavailable. Perform the following procedure to restore an application from the snapshots.
A snapshot preserves the state and data of a virtual machine at a specific point in
time. You can create a snapshot of a virtual machine at any time and revert to that snapshot
to recreate the application from that time. For more information, see the
VMware Documentation
. Perform the following procedure
to create a snapshot.
You can restore the VM details of an application after the host VM becomes unavailable. Perform the following procedure to restore an application VM details from a snapshot.
You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved. For more information, see AWS Documentation . Perform the following procedure to create a snapshot on a AWS platform.
You can restore the VM details of an application after the host VM becomes unavailable. Perform the following procedure to restore an application VM details from a snapshot. Ensure that you have captured the snapshots for the application VM.
Creating a snapshot of an application virtual machine on the Azure platform creates a point-in-time copy of your operating system and data disks associated with the VM. The snapshots you create can then be used to create a new VM with the same configurations as the source application VM.
You can restore the VM details of an application after the host VM becomes unavailable. The VM snapshot that you create on an Azure platform consists of the snapshot of operating system and data disks. When you restore the VM details, a new VM is created using the snapshots of the disks.
Perform the following procedure to delete the snapshots created for the VM under an application.
The update configuration feature allows you to update the virtual machine of a running application to a higher or lower configuration. Using this feature, you can modify VM specifications such as the vCPU, memory, disks, networking, or categories (tags) of a running production application with minimal downtime.
The process to update VM configuration of a running application on Nutanix is different from other providers.
To update configurations of a running single-VM or multi-VM applications on Nutanix, you need to perform the following steps:
For more information, see Update Configuration for VM.
You can update VM specifications from the Manage tab of the application. While launching the update, you can define the variables, verify the updates defined for the service by looking at the original value and updated value. You can also modify the values if the component is editable. You can also check the cost difference at the top of the page before applying the changes. For more information, see Updating the VM Configuration of an Application on Nutanix.
The option to update VM configuration of a running single-VM application on VMware, AWS, or Azure is available by default on the Overview tab of the application. The attributes that you can update depends on the provider account you selected for the application.
You can run the update configuration to modify the VM specifications, such as the vCPU, memory, disks, networking, or categories of a single-VM or multi-VM application.
You can click the delete icon to remove the existing disk.
You can click the delete icon to remove any new disk if your blueprint developer has enabled it in the application blueprint.
You can run the update configuration to modify parameters, such as VM configurations, controllers, disks, and network adapters of a single-VM application running on a VMware platform.
You can run the update configuration to modify parameters, such as instance type, IAM role, security groups, tags, and storage of a single-VM application running on an AWS platform.
You can run the update configuration to modify parameters, such as VM configurations, controllers, disks, or network adapters of a single-VM application running on an AWS platform.
You can add or update the credential, custom actions, post delete tasks, or package uninstall tasks from the Overview tab of a single-VM application.
An image is a template for creating new instance or VM. Calm allows you to create images from an existing single-VM or multi-VM application running on a Nutanix platform. Perform the following procedure to create an image from an existing application.
Perform the following procedure to clone an application. The cloned application has the same VM configuration as the source application from which it is cloned.
You can delete the unwanted applications from the Applications tab.
You can define and create custom or user-level actions while configuring a blueprint. Perform the following procedure to run the user-level actions.
System-level actions are pre-defined actions that you can run on an application. Perform the following procedure to execute the system-level actions.
Scheduler allows you to schedule application action and runbook executions. You can schedule recurring jobs and one-time jobs for critical operations throughout the application life cycle.
You can schedule any user-defined application actions, create or restore application snapshots (only AHV), or any pre-defined system actions such as Start, Stop, Restart, Delete, and Soft Delete. For example, you can schedule a Stop action and a Start action on a single-VM Calm application to run at a particular date and time.
Scheduler supports two types of entities.
Scheduler jobs have a role ownership. A user can modify the job that you created if the user has access to the entity and Allow Collaboration is enabled in the associated project. For example, if you create a scheduler job for an application action as a developer, a consumer that has access to the same application can modify the job. If Allow Collaboration is disabled in the project, then only the creator of the scheduler job can modify the job. For information on the role required to schedule application action and runbook execution, see Role-Based Access Control in Calm.
Create a scheduler job to perform an application action or runbook execution.
You can view or update a scheduler job on the Scheduler tab of the Policies page.
Scheduler jobs have a role ownership. You can update a job that a different user has created only when you have access to the entity and collaboration is allowed in the associated project.
You can also click View Logs for any executed job to go to the Audit tab and view the logs.
You can delete a scheduler job on the Scheduler tab of the Policies page.
An approval policy adds a level of governance to determine which application deployment requests or actions require approvals before they are initiated. You can use approval policies to manage your infrastructure resources, their associated costs, and compliance more effectively.
For example, consider a marketplace item that consumes a significant part of your available resources. You can use an approval policy to enable your IT administrator to review all deployment requests for that marketplace item and ensure that all requests are justified.
You can also use approval policies to enable a project administrator to review all the changes that are done as part of orchestration to a critical application instance.
As a Prism Central Admin or Project Admin, you can create approval policies for runbook executions, application launch, and application day-2 operations (system-defined or user-defined actions).
Each approval policy is a defined set of conditions that you apply to specific entities in Calm. An approval request is generated when an associated event meets all the conditions defined in the policy.
You can configure approval policies for specific events with different set of conditions. For example, to configure an approval policy for a marketplace item, you can use the following values:
The following table lists the different conditions that you can define for different events in approval policies. To search for a provider-specific attribute, type the provider name in the Attribute field.
Entity Type and Action | Provider | Attribute | Operator |
---|---|---|---|
Entity Type: Runbook Action: Execute |
All | Runbook Name | Equals, Contains, Like |
Task Name | Equals, Contains, Like | ||
Endpoint Name | Equals, Contains, Like | ||
Entity Type: Application Action: Launch |
All | Substrate Type | Equals, Contains, Like |
Blueprint Name | Equals, Contains, Like | ||
Application Name | Equals, Contains, Like | ||
Application Profile Name | Equals, Contains, Like | ||
Estimated Application Profile Cost | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
Account Name | Equals, Contains, Like | ||
VM Name | Equals, Contains, Like | ||
Service Name | Equals, Contains, Like | ||
App Replicas Count | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
OS Type | Equals, Contains, Like | ||
Azure Specific Attributes | Azure Tag | Equals, Contains, Like | |
Azure Location | Equals, Contains, Like | ||
Azure Instance Name | Equals, Contains, Like | ||
Azure Resource Group | Equals, Contains, Like | ||
Azure Availability Zone | Equals, Contains, Like | ||
Azure Availability Set | Equals, Contains, Like | ||
Azure Hardware Profile | Equals, Contains, Like | ||
Azure Data Disk Name | Equals, Contains, Like | ||
Azure Data Disk Type | Equals, Contains, Like | ||
Azure Data Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
Azure Network Profile Subnet | Equals, Contains, Like | ||
Azure Network Profile NIC Name | Equals, Contains, Like | ||
Azure Network Profile Virtual Network | Equals, Contains, Like | ||
Azure Network Profile Network Security Group | Equals, Contains, Like | ||
VMware Specific Attributes | VMware Instance Name | Equals, Contains, Like | |
VMware Datastore Cluster | Equals, Contains, Like | ||
VMware Datastore | Equals, Contains, Like | ||
VMware Cluster | Equals, Contains, Like | ||
VMware Host | Equals, Contains, Like | ||
VMware Sockets | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
VMware Cores Per Socket | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
VMware Memory | Equals, Contains, Like | ||
VMware Adapter Type | Equals, Contains, Like | ||
VMware Network | Equals, Contains, Like | ||
VMware Disk Type | Equals, Contains, Like | ||
VMware Tag | Equals, Contains, Like | ||
VMware Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
VMware Template Name | Equals, Contains, Like | ||
AHV Specific Attributes | AHV vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | |
AHV Cores Per vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Memory | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Category | Equals, Contains, Like | ||
AHV VPC Name | Equals, Contains, Like | ||
AHV vLAN Name | Equals, Contains, Like | ||
AHV Disk Type | Equals, Contains, Like | ||
AHV Disk Image Name | Equals, Contains, Like | ||
AHV Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Boot Configuration Type | Equals, Contains, Like | ||
AWS Specific Attributes | AWS Instance Type | Equals, Contains, Like | |
AWS Region | Equals, Contains, Like | ||
AWS Tag | Equals, Contains, Like | ||
AWS Root Volume Type | Equals, Contains, Like | ||
AWS Data Volume Type | Equals, Contains, Like | ||
AWS Root Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AWS Data Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AWS IAM Role | Equals, Contains, Like | ||
AWS VPC ID | Equals, Contains, Like | ||
AWS Security Group ID | Equals, Contains, Like | ||
AWS Subnet ID | Equals, Contains, Like | ||
AWS Machine Image ID | Equals, Contains, Like | ||
GCP Specific Attributes | GCP Instance Name | Equals, Contains, Like | |
GCP Machine Type | Equals, Contains, Like | ||
GCP Zone | Equals, Contains, Like | ||
GCP Boot Disk Storage Type | Equals, Contains, Like | ||
GCP Boot Disk Source Image | Equals, Contains, Like | ||
GCP Labels | Equals, Contains, Like | ||
Entity Type: Application Action: Day 2 Operation |
All | Application Name | Equals, Contains, Like |
Application Profile Cost | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
App Replicas Count | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
Action Name | Equals, Contains, Like | ||
AHV Specific Attributes (for Update Config Only) | AHV vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | |
AHV Cores Per vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Memory | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Category | Equals, Contains, Like | ||
AHV vLAN Name | Equals, Contains, Like | ||
AHV VPC Name | Equals, Contains, Like | ||
AHV Device Type | Equals, Contains, Like | ||
AHV Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV (for Snapshots) | AHV Snapshot Location | Equals, Contains, Like | |
AHV Snapshot Replica | Equals, Contains, Like | ||
AHV Snapshot Name | Equals, Contains, Like |
Day 2 operations are combination of multiple actions. Ensure that you use the supported attributes for different day 2 operations to enforce the policy appropriately. For example, when you configure a policy with scale in or scale out task, the supported attributes can be App Replicas Count and Application Profile Cost.
The following table provides the day 2 operation with the supported attributes.
Day 2 Operation | Supported Attributes |
---|---|
AHV Update Config | Estimated Application Profile Cost, AHV vCPU, AHV Cores Per vCPU, AHV Memory, AHV Category, AHV VPC Name, AHV vLAN Name, AHV Disk Size, and AHV Device Type |
Scale-in or Scale-out task | App Replicas Count and Application Profile Cost |
AHV Snapshot Config | AHV Snapshot Name, AHV Snapshot Replica, and AHV Snapshot Location |
Supported Attributes for All Day 2 Operations | Application Name and Action Name |
For system actions, you must specify the name in the action_<system action> format. The following table lists the system action names supported for approval policies.
System Action | Names |
---|---|
Start | action_start |
Restart | action_restart |
Stop | action_stop |
Delete | action_delete |
Soft Delete | action_soft_delete |
Snapshot Create | action_snapshot_create |
Restore | action_restore |
Update | action_update |
To quickly create a new policy, you can clone an existing policy and edit its basic information, conditions, and approvers.
You cannot clone an approval policy that is in the Draft state.
You can enable a policy to enforce the policy on an event that matches the entity, action, and conditions of the policy or disable the policy to skip policy enforcement.
As a Prism Central Administrator or Project Administrator, you can delete an approval policy if the policy is no longer required for the event.
After you have created a policy, you can view the details of the policy on the policy details page.
An an approver, you can view a list of all pending approval policies on the Approval Requests tab and can either approve or reject the request with a reason.
When you approve a request, the event moves to the next task. When you reject a request, the requester is notified about the rejection of the request. If you are the requester, you can view your pending requests and the status of your reviewed request on the My Requests tab.
Library allows you to save user-defined tasks (scripts) and variables that you can use persistently for other application blueprints. You do not have to define the same tasks and variables for each blueprint.
You can also share tasks and variables listed as part of library across different projects. You can also customise an existing task or variable.
The Library tab lists all the published user-defined tasks and the created variable types to be used across multiple blueprints.
You create custom variable types for added flexibility and utility. Beyond just string and integer data types, you can create more data types such as Date/Time, list, and multi-line string. You can define list values as a static list of values or can attach a script (eScript or HTTP task) to retrieve the values dynamically at runtime.
While creating a custom variable type, you associate a project to the variable type. You can also share the variable type with multiple other projects using the "Share" option on the same page.
Create variable types so that you can use the variables during blueprint creation. You can also share the created variable types across multiple projects.
You can create tasks while configuring a blueprint and publish these tasks to the library. Calm allows you to import these published tasks while configuring other blueprints across multiple projects.
To refer to the video about task library, click here.
Add tasks to a project so that you can use the tasks while configuring blueprints for the selected project.
Delete unwanted tasks from the Library. The deleted tasks can no longer be used in any project while configuring a blueprint.
A runbook is a framework to automate routine tasks and procedures that pan across multiple applications without the involvement of a blueprint or an application.
A runbook is a collection of tasks that you can define to run sequentially at different endpoints. For more information about endpoints, see Endpoints Overview.
You can define the following types of tasks in a runbook.
Task | Description |
---|---|
Execute | To run Shell, PowerShell, and eScript (custom python) scripts. |
Set Variable | To run a script and create variables. |
Delay | To set a delay interval between two tasks or actions. |
HTTP | To perform REST calls to an HTTP endpoint. |
While Loop | To iterate over multiple tasks until the defined condition is met. |
Decision | To define different flows or paths based on the exit condition. |
VM Power On | To power on the VMs that are present in the VM endpoint type. |
VM Power Off | To power off the VMs present in the VM endpoint type. |
VM Restart | To restart the VMs present in the VM endpoint type. |
For more information about creating a runbook, see Creating a Runbook.
To share an active runbook across different projects, you can submit the runbook to be published as a Marketplace item. When the runbook is available at the marketplace, members from different projects to which the runbook is assigned can view and execute it.
When you submit a runbook for publishing, your administrator approves and publishes the runbook at the Marketplace. While publishing, your administrator selects the projects that can view and execute the runbook. You can publish runbooks with or without endpoints and with or without secret values (credential passwords or keys and secret variables). For more information, see Submitting a Runbook for Publishing.
You can select endpoints with virtual machines as the target type to execute power operation tasks such as power off, power on, or restart. Executing these tasks on Virtual machines is particularly helpful in cases where you need to run a set of scripts on multiple VMs and then restart the VMs. For example, when you want to upgrade a software on your VMs. For more information about creating an endpoint, see Creating an Endpoint.
You cannot modify the runbook after it is published. You can either execute the runbook or clone the runbook within your project from the marketplace.
A runbook is a collection of tasks that you can define to run sequentially at different endpoints.
Calm uses the default endpoint only when you do not configure any endpoint at the task level.
The task is further subdivided into True and False condition. You must repeat the steps to add the tasks and configure the task type.
Create a runbook with the Execute task to run Shell, PowerShell, and eScript (custom python) scripts. Create a runbook with the Set Variable task to run a script and create variables.
Create a runbook with the Delay task to set a delay interval between two tasks or actions.
Create a runbook with the HTTP task to perform REST calls to an HTTP endpoint.
Create a runbook with the While Loop task to iterate over multiple tasks until the defined condition is met.
Submit a runbook for publishing so that your admin can approve and publish it at the marketplace. Members from the associated projects can view and execute the runbooks that are published at the marketplace.
You can execute a runbook to run the tasks sequentially on an endpoint.
Perform the following procedure to delete a runbook.
Endpoints are the target resources where the tasks defined in a runbook or blueprint are run.
The endpoints are collection of IP addresses or VMs. The collection of VMs can be a static selection or can be dynamic with filter rules applied.
You have the following types of endpoints.
To know how to create an endpoint, see Creating an Endpoint.
For Windows or Linux endpoint type, you can select virtual machines as the target type. Selecting VMs as target type is useful in cases where you run a set of scripts on multiple VMs and then restart the VMs. For example, you can select VMs as target type to upgrade a software on your VMs.
After you select VMs as the target type, you must select the provider account to list all the associated VMs. You can filter the list of VMs. You can either select the VMs manually or enable the option to automatically select the filtered VMs for your endpoint.
Create an endpoint to run the tasks that you define in a runbook or blueprint.
Perform the following procedure to delete a endpoint.
You can take a backup of the Calm data to a specified location on your machine and restore the data to a new Prism Central. You back up the following data:
You can take a backup of the entire Calm data to a specified location on your machine and restore the data to a new Prism Central.
docker exec -it nucalm bash
calmdata
binary is available in the
/home/calm/bin
folder.
# cd /home/calm/bin
# ./calmdata backup --dump-folder <folder>
calmdata
tar file dump.
sudo kubectl -s 0.0.0.0:8070 -n ntnx-base get pods
cd ~/cluster/bin/
vi backup_iam.sh
backup_iam.sh
file.
sh backup_iam.sh
/usr/local/nutanix/iam-backup
.
docker cp <nucalm_container_id>:<backup_tar_file_path> <PC_path_to_copy>
docker cp f4af4798e47d:/backup/3.5.1_backup.tar /home/nutanix/local_backup/
scp
command to copy the calmdata backup tar file from
the Prism Central file system to the new Prism Central.
scp
command to copy the
IAM backup zipped file from the Prism Central file system to the following
location on the new Prism Central.
/usr/local/nutanix/iam-backup
docker cp <back_up_tar_file_path> <nucalm_container_id>:<restore_path_dump_folder>
# ./calmdata restore --dump-folder <folder>
docker exec -ti nucalm bash
activate;
code ;
python scripts/update_policy_vm_host_data.pyc
sudo systemctl stop policy-container
sudo systemctl stop policy-epsilon-container
sudo systemctl stop chronos-container
docker rm -f policy
docker rm -f policy-epsilon
docker rm -f chronos
sudo systemctl start policy-container
sudo systemctl start policy-epsilon-container
sudo systemctl start chronos-container
cd ~/cluster/bin/
vi restore_iam_from_file.sh
restore_iam_from_file.sh
file.
sh restore_iam_from_file.sh
Use the following flag options for your Calm data backup:
Options | Description |
---|---|
dump-folder |
The folder where you want to place the backup data. The default folder is located
at
/tmp/default
.
Note:
Create this folder before taking the
backup. When you restore, the restore binary must be present at this
location.
Example:
|
max-threads |
The maximum number of threads to use to take the backup. The default value is
5.
Example:
|
fetch-limit |
The maximum number of entries to fetch in batches of 100 per call. The default
and the maximum value is 100. Decreasing the value of
fetch-limit
increases the time taken to back up Calm
data.
Example:
|
idf-timeout |
The timeout for IDF (database). Increase the value of IDF timeout if you
encounter backup failure due to timeout. The default value is
60.
Example:
|
backup-deleted-entities |
The flag to include deleted entities in the backup. The backup does not include
deleted entities when the value is False. The default value is
True.
Example:
|
When you enable the policy engine for your Calm instance, Calm creates and deploys a new VM for the policy engine in your Prism Central network. After the policy engine VM deployment, you can anytime create a backup of your policy engine database. You can use the backup to restore the policy engine to the earlier state on your existing policy engine VM or on a new policy engine VM.
You must run the backup and restore commands from your Prism Central instance.
ssh nutanix@<policy_vm_ip>
/home/nutanix/scripts/backup.sh
<policy_vm_ip>
is the IP address of the policy
engine VM.
/home/nutanix/data/backups/
.
scp
command and then to the new policy
engine VM.
ssh nutanix@<policy_vm_ip> /home/nutanix/scripts/restore.sh
–-list
ssh nutanix@<policy_vm_ip> /home/nutanix/scripts/restore.sh
-f=<backup_name>
<policy_vm_ip>
is the IP address of the policy
engine VM and
<backup_name>
is the local backup file
available on the policy engine VM.
Calm task library public repository contains scripts for installing and uninstalling different services. To access the repository, click here.
The following sections provide the sample scripts of Cloud-init and SysPrep to configure the static IP address range for non-managed AHV network.
#cloud-config
cloud_config_modules:
- resolv_conf
- runcmd
write_files:
- path: /etc/sysconfig/network-scripts/ifcfg-eth0
content: |
IPADDR=10.136.103.226
NETMASK=255.255.255.0
GATEWAY=10.136.103.1
BOOTPROTO=none
ONBOOT=yes
DEVICE=eth0
runcmd:
- [ifdown, eth0]
- [ifup, eth0]
manage_resolv_conf: true
resolv_conf:
nameservers: ['8.8.4.4', '8.8.8.8']
searchdomains:
- foo.example.com
- bar.example.com
domain: example.com
options:
rotate: true
timeout: 1
<?xml version="1.0" encoding="UTF-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<ComputerName>Windows2016</ComputerName>
<RegisteredOrganization>Nutanix</RegisteredOrganization>
<RegisteredOwner>Acropolis</RegisteredOwner>
<TimeZone>UTC</TimeZone>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<Identification>
<Credentials>
<Domain>contoso.com</Domain>
<Password>secret</Password>
<Username>Administrator</Username>
</Credentials>
<JoinDomain>contoso.com</JoinDomain>
<UnsecureJoin>false</UnsecureJoin>
</Identification>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-TCPIP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<Interfaces>
<Interface wcm:action="add">
<Identifier>Ethernet</Identifier>
<Ipv4Settings>
<DhcpEnabled>false</DhcpEnabled>
<RouterDiscoveryEnabled>true</RouterDiscoveryEnabled>
<Metric>30</Metric>
</Ipv4Settings>
<UnicastIpAddresses>
<IpAddress wcm:action="add" wcm:keyValue="1">10.0.0.2/24</IpAddress>
</UnicastIpAddresses>
<Routes>
<Route wcm:action="add">
<Identifier>10</Identifier>
<Metric>20</Metric>
<NextHopAddress>10.0.0.1</NextHopAddress>
<Prefix>0.0.0.0/0</Prefix>
</Route>
</Routes>
</Interface>
</Interfaces>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-DNS-Client" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<UseDomainNameDevolution>true</UseDomainNameDevolution>
<DNSDomain>contoso.com</DNSDomain>
<Interfaces>
<Interface wcm:action="add">
<Identifier>Ethernet</Identifier>
<DNSDomain>contoso.com</DNSDomain>
<DNSServerSearchOrder>
<IpAddress wcm:action="add" wcm:keyValue="1">10.0.0.254</IpAddress>
</DNSServerSearchOrder>
<EnableAdapterDomainNameRegistration>true</EnableAdapterDomainNameRegistration>
<DisableDynamicUpdate>true</DisableDynamicUpdate>
</Interface>
</Interfaces>
</component>
<component xmlns="" name="Microsoft-Windows-TerminalServices-LocalSessionManager" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<fDenyTSConnections>false</fDenyTSConnections>
</component>
<component xmlns="" name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<UserAuthentication>0</UserAuthentication>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Networking-MPSSVC-Svc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<FirewallGroups>
<FirewallGroup wcm:action="add" wcm:keyValue="RemoteDesktop">
<Active>true</Active>
<Profile>all</Profile>
<Group>@FirewallAPI.dll,-28752</Group>
</FirewallGroup>
</FirewallGroups>
</component>
</settings>
<settings pass="oobeSystem">
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<UserAccounts>
<AdministratorPassword>
<Value>secret</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
</UserAccounts>
<AutoLogon>
<Password>
<Value>secret</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
<Username>Administrator</Username>
</AutoLogon>
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c netsh firewall add portopening TCP 5985 "Port 5985"</CommandLine>
<Description>Win RM port open</Description>
<Order>1</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
</FirstLogonCommands>
<OOBE>
<HideEULAPage>true</HideEULAPage>
<SkipMachineOOBE>true</SkipMachineOOBE>
</OOBE>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<InputLocale>en-US</InputLocale>
<SystemLocale>en-US</SystemLocale>
<UILanguageFallback>en-us</UILanguageFallback>
<UILanguage>en-US</UILanguage>
<UserLocale>en-US</UserLocale>
</component>
</settings>
</unattend>
Calm supports the following eScript modules.
Module | Module supported as |
---|---|
datetime | _datetime |
re | re |
difflib | difflib |
base64 | base64 |
pprint | pprint |
pformat | pformat |
simplejson | json |
ujson | ujson |
yaml | yaml |
Uuid | uuid |
requests | requests |
boto3 | boto3 |
azure | azure |
kubernetes | kubernetes |
The following example displays the usage of boto3 module.
import boto3
ec2 = boto3.client('ec2', aws_access_key_id='{}', aws_secret_access_key='{}', region_name='us-east-1')
print ec2.describe_regions()
The following example displays the usage of Azure module.
# subscription_id macro contains your Azure Subscription ID
# client_id macro contains your Client ID
# tenant macro contains you Tenant ID
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
credentials = ServicePrincipalCredentials(
client_id=@@{client_id}@@,
secret='secret',
tenant=@@{tenant}@@
)
client = ResourceManagementClient(credentials, @@{subscription_id}@@)
for item in client.resource_groups.list():
print(item)
The following example displays the usage of Kubernetes module.
from kubernetes import client as k8client
aToken="eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJl
cm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWN
jb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNl
YWNjb3VudC9zZWNyZXQubmFtZSI6InNhcmF0aC10b2tlbi1ubWo1cSIsImt1YmVybm
V0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJzYXJhdG
giLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQ
iOiIzODM1Zjk5MC0zZGJhLTExZWEtODgwNy01MDZiOGQzYjFhYjIiLCJzdWIiOiJzeXN0ZW06c2Vyd
mljZWFjY291bnQ6ZGVmYXVsdDpzYXJhdGgifQ.dLJCdlOGktRsXfxDItBdbYxDYJtnFS9pptQaKr
JS1QfWAiT93l_iPExZZ_7JGQ2t7glpe-DNEwfjKiqUkDKmuHZSxN9fV6PHjTc8CGOn1q4LV7
tFFkh4HNi-JjhLPkRRQUM6_y5qQSrx9asDEGVLGsoHjuMLhELi4Ghq1EOgcRxPCTQD6lq_C203Dap
PESdqPl7JsmIVBCkFUT4A8A4sseiOqq9ogX-QKvAwoI7yq97BMJLX7q868cNBRsbFzct1tS-CEx-RCPM95
qAzdLNUOrIszVVgSd7jLxIg_tqUH_yEj4T0cePsbLhrCBPRt6bHFCyg3RkIKRoIN2YBq0wPWw"
configuration=k8client.Configuration()
configuration.host="https://10.46.4.213:6443"
configuration.verify_ssl=False
configuration.debug=True
configuration.api_key={"authorization":"Bearer "+ aToken}
k8client.Configuration.set_default(configuration)
v1=k8client.CoreV1Api()
nodes=v1.list_node(watch=False)
print nodes.items[0].metadata.name
Calm supports the following eScript functions.
The API exposes REST interface as a set of objects. This action is implemented using python requests module.
urlreq(url, verb='GET', auth=None, c=None, user=None, passwd=None, params=None,
headers=None, timeout=None, send_form_encoded_data=True, allow_redirects=True,
cookies=None, verify=True, proxies=None)
requests.Response object is returned.
Arguments | Description |
---|---|
url | string, url to request |
verb |
string, verb is GET by default. POST, HEAD, PUT, PATCH, and DELETE are other valid entries. |
auth |
string (optional), BASIC and DIGEST are the valid entries.
For authentication purposes, the order is as follows.
|
user | string (optional), username used for authentication. |
passwd | string (optional), password used for authentication. |
params | dict (optional), if verb is GET, HEAD or DELETE, parameters are sent in the query string for the request otherwise they are sent in the body of the request. |
headers | dict (optional), Dictionary of HTTP headers needs to be send along with the request. |
timeout | integer (optional), you can configure requests to stop waiting for a response after a given number of seconds with the timeout parameter. timeout only elects the connection process itself, not the downloading of the response body. |
send_form_encoded_data | boolean (optional), = True by default. If False, parameters dict is first dumped using simplejson.dumps() and then passed as a string. |
allow_redirects |
boolean (optional), = True by default. Specifies whether redirects should be allowed or not. |
cookies | dict (optional), cookies dict to be sent along with the request. |
verify | boolean (optional), = True by default. Specifies whether SSL certificates should be verified or not. |
proxies | dict (optional), Dictionary mapping protocol to the URL of the proxy |
Rules for authentication in the order of priority.
If the above two criteria does not match, username and password are authenticated by using the credential attached to the task.
For example
params = {'limit': 1}
headers = {'content-type': 'application/octet-stream'}
r = urlreq(url, verb="GET", auth="BASIC", c='somecred', params=params, headers=headers)
r = urlreq(url, verb="POST", auth="BASIC", user="user", passwd="pass", params=params)
The exit function is an alias for sys.exit of python standard library.
exit(exitcode)
For example
exit(0)
The sleep function is an alias for time.sleep.
sleep(num_of_secs)
For example
sleep(10)
The _construct_random_password API generates a random password and returns it.
_construct_random_password(lower, upper=None, numCaps=0, numLetters=0,
numDigits=0, numPuncs=0, startwith=None, caps=None, letters=None,
digits=None, puncs=None)
Returns: String
Argument | Description |
---|---|
lower | integer, minimum number of characters in the password. |
upper | integer (optional), maximum number of characters in the password. If upper is not defined, then the password returned will always be as per lower, else the length can vary between lower and upper (both included). |
numCaps |
integer (optional), minimum number of capital letters that must be there in password. |
numLetters |
integer (optional), minimum number of letters that must be there in password. |
numDigits | integer (optional), minimum number of digits that must be there in password. |
numPuncs |
integer (optional), minimum number of punctuation alphabets that must be there in password. |
startwith |
string (optional), password returned starts with one of the characters provided in startwith string. |
caps | string (optional), default = 'A-Z'. This can be overridden. |
letters | string (optional), default = 'a-zA-Z'. This can be overridden. |
digits | string (optional), default = '0-9'. This can be overridden. |
puncs | string (optional), default = '!@#$%^&'. This can be overridden. |
The _is_bad_password function checks whether the password is correct or not.
_is_bad_password(password, reserved, dictionary=True, numCaps=0, numPuncs=0, \
numDigits=0, minLen=5)
For example
_is_bad_password("Abcd@123")
The _randomchoose function is used to get a random character from a string.
_randomchoose(string)
For example
_randomchoose("adsadrer")
The _shuffle function is used to shuffle the sequence.
_shuffle(sequence)
For example
_shuffle(a)
The get_sql_handle function enables you to remotely connect and manage SQL Servers. It is implemented by using python pymssql module.
get_sql_handle(server, username, password, database='', timeout=0, login_timeout=60, charset='UTF-8', as_dict=False, host='', appname=None, port='1433', conn_properties=None, autocommit=False, tds_version=None)
Returns pymssql.Connection object
Argument | Description |
---|---|
server (str) | database host |
user (str) | database user to connect as |
password (str) |
user’s password |
database (str) |
The database to initialize the connection with. By default SQL Server selects the database which is set as default for specific user |
timeout (int) | query timeout in seconds, default 0 (no timeout) |
login_timeout (int) | timeout for connection and login in seconds, default is 60 seconds |
charset (str) | character set with which to connect to the database |
For example
username="dbuser"
password="myP@ssworD"
server="10.10.10.10"
port="1433"
cnxn = get_sql_handle(server, username, password, port=port, autocommit=True)
cursor = cnxn.cursor()
# List all databases
cursor.execute("""
SELECT Name from sys.Databases;
""")
for row in cursor:
print row[0]
cnxn.close()
To refer to the video about supported eScripts, click here.
The following script is an EScript sample script.
#script
account_name = "@@{ACCOUNT_NAME}@@"
aviatrix_ip = "@@{address}@@"
new_test_password = "@@{NEW_TEST_PASSWORD}@@"
vpc_name = "Test"
api_url = 'https://{0}/v1/api'.format(aviatrix_ip)
#print api_url
def setconfig(api_url, payload):
r = urlreq(api_url, verb='POST', auth="BASIC", user='admin', passwd='passwd', params=payload, verify=False)
resp = json.loads(r.content)
if resp['return']:
return resp
else:
print "Post request failed", r.content
exit(1)
print "Get the session ID for making API operations"
payload = {'action': 'login', 'username': 'admin', 'password': new_test_password}
api_url1 = api_url + "?action=login&username=admin&password="+ new_aviatrix_password
cid = setconfig(api_url=api_url1, payload=payload)
cid = cid['CID']
print cid
print "Delete the gateway"
payload = {'CID': cid,
'action': 'delete_container',
'account_name': account_name,
'cloud_type': 1,
'gw_name': vpc_name
}
api_url1 = api_url + "?CID="+cid+"&action=delete_container&account_name="+account_name+"&cloud_type=1&gw_name="+vpc_name
print setconfig(api_url=api_url1,payload=payload)
print "Delete the aws account"
payload = {'CID': cid,
'action': 'delete_account_profile',
'account_name': account_name
}
api_url1 = api_url + "?CID="+cid+"&action=delete_account_profile&account_name="+account_name
print setconfig(api_url=api_url1,payload=payload)
The following script is a jwt usage sample script.
#script
jwt = '@@{calm_jwt}@@'
payload = {}
api_url = 'https://localhost:9440/api/nutanix/v3/apps/list'
headers = {'Content-Type': 'application/json', 'Accept':'application/json', 'Authorization': 'Bearer {}'.format(jwt)}
r = urlreq(api_url, verb='POST', params=json.dumps(payload), headers=headers, verify=False)
if r.ok:
resp = json.loads(r.content)
print resp
exit(0)
else:
print "Post request failed", r.content
exit(1)
The following script is a powershell sample script.
Install-PackageProvider -Name NuGet -Force
Install-Module DockerMsftProvider -Force
Install-Package Docker -ProviderName DockerMsftProvider -Force
The following script is a guest customization sample script for the Azure service.
<AutoLogon>
<Password>
<Value>@@{user.secret}@@</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
<Username>@@{user.username}@@</Username>
</AutoLogon>
The following script is a guest customization sample script for the Azure service.
<FirstLogonCommands>
<SynchronousCommand>
<CommandLine>cmd.exe /c powershell -Command get-host</CommandLine>
<Order>1</Order>
</SynchronousCommand>
</FirstLogonCommands>
The following script is a guest customization sample script for the VMware service.
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set winrm/config/service/auth @{Basic="true"}
powershell -Command "enable-psremoting -Force"
powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"
The following script is a guest customization sample script for the GCP service.
#! /bin/bash\napt-get update\napt-get install -y apache2\ncat <<EOF > /var/www/html/index.html\n<html><body><h1>Hello World</h1>\n<p>This page was created from a simple startup script!</p>\n</body></html>\nEOF
Calm blueprints public repository contains custom blueprints and custom scripts that are created and published by community members. Calm also publishes official blueprints and tasks to the github public repository. You can clone the published blueprints and scripts and use from the repository. To access the repository, click here .
The blueprints repository of Calm contains script that can be seeded into task library and published to projects. You can use these tasks for blueprint configuration.
bash generate_task_library_items.sh
export PC_IP=<prism central IP>
export PC_USER=<prism central user>
export PC_PASSWORD=<prism central password>
export PC_PROJECT=<prism central project>
python generate_task_library.py --pc $PC_IP--user $PC_USER --password $PC_PASSWORD --project $PC_PROJECT --script <path of script>
Calm license for Prism Central enables you to manage VMs that are provisioned or managed by Calm. Nutanix provides a free trial period of 60 days to try out Calm.
The Prism web console and Nutanix Support portal provide the most current information about
your licenses. For detailed information about the Calm licensing feature, refer to the
Prism Central Guide
.
Upgrade Calm or Epsilon using the Life Cycle Manager (LCM) from Prism Central. Epsilon is the orchestration engine for Calm. For more information , see Life Cycle Manager.
Use LCM to display the software and firmware versions of the entities in the cluster.
Use LCM to upgrade Calm and Epsilon to the latest available versions.
If you do not select any specific updates, the LCM performs all available updates.
By default, LCM automatically fetches updates from a pre-configured URL. If LCM fails to access the configured URL to fetch updates, you can configure the LCM to fetch updates locally to upgrade Calm and Epsilon.
Perform the following procedure to upgrade Calm and Epsilon at a dark site.
The LCM sidebar now shows the LCM framework with the updated version.
Refer to this section to upgrade Calm to the latest available version after you deploy the Calm VM.
Use the following procedure to upgrade Calm and Epsilon from Calm VM 3.5.0 to 3.5.1.
genesis stop nucalm epsilon
/usr/local/nutanix/nucalm/
)
and remove the tar file.
nucalm.tar.xz
from the Downloads location.
/usr/local/nutanix/epsilon/
) and remove the tar file.
epsilon.tar.xz
from the Downloads location.
cluster start
To upgrade Calm VM using the PC method, do the following:
Check if the compatible PC version is available. If not, go to the Name Servers page and enter the global DNS server as the Name server.
A confirmation window appears.
Click Yes to start the download process. After the download gets completed, you can view the Upgrade list.
During the upgrade process, the Calm VM gets restarted.
Also, you can log in to the Calm VM GUI to view the upgraded version. In the top-left corner, click User Menu > About Nutanix .
You can upgrade to newer versions of Calm without performing a VM upgrade. Upgrades to most minor releases and few major releases are done using the LCM method.
To upgrade Calm VM using the LCM method, do the following:
A confirmation window appears.
Note that the Epsilon check-box also gets selected. Epsilon is the orchestration engine used by Calm.
A confirmation window appears.
By default, Life Cycle Manager (LCM) automatically fetches updates from a pre-configured URL. If LCM fails to access the configured URL to fetch updates, you can configure the LCM to fetch updates locally to upgrade Calm and Epsilon. Perform the following procedure to upgrade Calm and Epsilon at a dark site.
The LCM sidebar now shows the LCM framework with the same version as the LCM dark site bundle you downloaded.
The Credential Security Support Provider (CredSSP) protocol is a security support provider that you implement using the Security Support Provider Interface (SSPI). CredSSP allows an application to delegate credentials of a user from the client to the target server for remote authentication. CredSSP provides an encrypted transport layer security protocol channel. The client is authenticated over the encrypted channel by using the Simple and Protected Negotiate (SPNEGO) protocol with either Microsoft Kerberos or Microsoft NTLM.
For more information, refer to the Microsoft Documentation .
Perform the following procedure to enable CredSSP.
> Enable-WSManCredSSP -Role Server -Force
Perform the following procedure to generate an SSH key pair on a Linux VM.
$ ssh-keygen -t rsa
Perform the following procedure to generate an SSH key pair on Windows.
Integrated Linux based PowerShell gateway is an in-built microservice of Calm that you can use to run Windows PowerShell scripts. You do not have to install any Windows VM separately or install Karan service manually to run the PowerShell scripts in Calm. Perform the following task to run the PowerShell scripts in Calm.
> Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools
> Enable-WSManCredSSP -Role Server -Force
> Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools
You might encounter the following errors when you run the PowerShell scripts using the integrated Linux based PowerShell gateway.
Error | Description |
---|---|
Access denied |
If the VM and the WinRM services are started but the specified credential is wrong. You encounter the error in the following cases.
|
Connection refused |
You encounter the connection refusal error in the following cases.
|
Nutanix localizes the user interface in simplified Chinese and Japanese. All the static
screens are translated to the selected language. You can change the language settings of the
cluster from English (default) to simplified Chinese or Japanese. For information on how to
change the language setting, refer to the
Prism Central
Guide
.
Product Release Date: 2022-08-03
Last updated: 2022-11-10
Calm allows you to seamlessly select, provision, and manage your business applications across your infrastructure for both the private and public clouds. Calm provides application automation, lifecycle management, monitoring, and remediation to manage your heterogeneous infrastructure, for example, VMs or bare-metal servers.
Calm supports multiple platforms so that you can use the single self-service and automation interface to manage all your infrastructure. Calm provides an interactive and user-friendly graphical user interface (GUI) to manage your infrastructure.
Calm is a multi-cloud application management framework that offers the following key benefits:
Calm simplifies the setup and management of custom enterprise applications by incorporating all important elements, such as the relevant VMs, configurations, and related binaries into an easy-to-use blueprint. These blueprints make the deployment and lifecycle management of common applications repeatable and help infrastructure teams eliminate extensive and complex routine application management.
Calm unifies the management of all your clouds into a single-pane-of-glass, removing the need to switch between portals. Calm automates the provisioning of multi-cloud architectures, scaling both multi-tiered and distributed applications across different cloud environments, including AWS, GCP, Azure, and VMware (on both Nutanix and non-Nutanix platforms).
Calm empowers different groups in the organization to provision and manage their own applications, giving application owners and developers an attractive alternative to public cloud services. Calm provides powerful, application-centric self-service capabilities with role-based access control. All activities and changes are logged for end-to-end traceability, aiding security teams with key compliance initiatives.
The marketplace offers preconfigured application blueprints that infrastructure teams can instantly consume to provision applications. The marketplace also provides the option to publish sharable runbooks. A runbook is a collection of tasks that are run sequentially at different endpoints. Infrastructure teams can define endpoints and use runbooks to automate routine tasks and procedures that pan across multiple applications without the involvement of a blueprint or an application.
With native integration into Beam, Calm also shows the overall utilization and true cost of public cloud consumption to help you make deployment decisions with confidence.
Combined with Nutanix Karbon or your choice of certified Kubernetes, Calm provides the tools required to modernize applications without losing control of policy. Additionally, Calm natively integrates with Jenkins to empower CI/CD pipelines with automatic infrastructure provisioning or upgrades for all applications.
Calm DSL describes a simpler Python3-based Domain Specific Language (DSL) for writing Calm blueprints. DSL offers all the richness of the Calm user interface along with additional benefits of being human readable and version controllable code that can handle even the most complex application scenario. DSL can be also used to operate Calm from a CLI.
As Calm uses Services, Packages, Substrates, Deployments and Application Profiles as building blocks for a blueprint, these entities can be defined as Python classes. You can specify their attributes as class attributes and define actions on those entities (procedural runbooks) as class methods.
Calm DSL also accepts appropriate native data formats such as YAML and JSON that allow reuse into the larger application lifecycle context of a Calm blueprint.
For technical articles, videos, labs and resources on Calm DSL, see Nutanix Calm DSL on Nutanix.dev.
You must configure the following components before you start using Calm.
Before you enable Calm from Prism Central, ensure that you have met the following prerequisites.
You can go to the Software Product Interoperability page to verify the compatible versions of Calm and Prism Central.
Nutanix certifies the following benchmarks for single-node deployment profiles (non-scale-out) and three-node deployment profiles (scale-out). Each benchmark contains scale numbers across different entities of Calm. Because the scaling properties of these entities often depend on each other, changes to one entity might affect the scale of other entities. For example, if your deployment has smaller number of VMs than the benchmarked number, you can have a higher number of blueprints, projects, runbooks, and so on.
Use these guidelines as a good starting point for your Calm installation. You might have to allocate more resources over time as your infrastructure grows.
The following table shows the Calm benchmarks for a single-node Prism Central profile.
Prism Central size | Prism Central configuration | Number of VMs | Number of single-VM blueprints | Number of single-VM applications | Number of projects | Number of runbooks |
---|---|---|---|---|---|---|
Small (1 node) |
6 vCPUs and 30 GB of memory for each node. |
2000 | 400 | 2000 | 50 | 250 |
Large (1 node) |
10 vCPUs and 52 GB of memory for each node. |
7000 | 1400 | 7000 | 250 | 500 |
The following table shows the Calm benchmarks for a three-node Prism Central profile. If high-availability is preferred, it is recommended to use the scale-out deployment.
Prism Central size | Prism Central configuration | Number of VMs | Number of single-VM blueprints | Number of single-VM applications | Number of projects | Number of runbooks |
---|---|---|---|---|---|---|
Small (3 nodes, scale out) |
6 vCPUs and 30 GB of memory for each node. |
3500 | 700 | 3500 | 100 | 500 |
Large (3 nodes, scale out) |
10 vCPUs and 52 GB of memory for each node. |
12500 | 2500 | 12500 | 500 | 1000 |
The following considerations are applicable for both Calm single-node and three-node (scale-out) profiles:
The maximum throughput on a large three-node (scale-out) deployment profile is 400 VMs per hour.
For a list of required Calm ports, see Port Reference. The Port Reference section provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.
Calm is integrated into Prism Central and does not require you to deploy any additional VMs. To start using Calm, you only have to enable Calm from Prism Central.
If the Prism web console is not registered from a Prism Central and the application blueprints have subnet, image, or VMs on the Prism web console, the Calm functionality is impacted.
Prism Central Guide
.
You can check the version of your Calm instance from the Calm user interface.
Calm VM is a standalone VM that you can deploy on AHV and ESXi hypervisors and leverage calm functionality without the Nutanix infrastructure.
You can deploy Calm using the image at the Nutanix Support Portal - Downloads page and manage your applications across a variety of cloud platforms. Calm VM deployment eliminates the need of the complete Nutanix infrastructure to use Calm features.
For information on Calm VM deployment on AHV, see Deploying Calm VM on AHV.
This section describes the steps to deploy a Calm VM on AHV.
You must create a VM with a specific Open Virtualization Format (OVF) image to access the Calm UI.
For more information, see Deploying OVA Template on VMware vSphere section in the VMware documentation .
This section describes the steps to deploy a Calm VM by using the vSphere CLI (govc).
$ govc import.ova -name 5.17.1-prismcentral -3.0.0.1 http://endor.dyn.nutanix.com/GoldImages/calm-vm
If you have downloaded the OVF file on your system, replace http://endor.dyn.nutanix.com/GoldImages/calm-vm with the location of the OVF file.
Running the command starts the uploading process. Once the uploading is complete, power on the Calm VM from the vSphere web client.
Use the following procedure to set up Scale-out version of Calm VM.
cluster stop
cluster destroy
#cluster --cluster_function_list="multicluster" -s <ip1>,<ip2>,<ip3> create
For example:
cluster --cluster_function_list="multicluster" -s 10.46.141.71,10.46.138.20,10.46.138.26 create
cluster --cluster_function_list="multicluster" --cluster_name "<Cluster Name>" -s <ip1>,<ip2>,<ip3> --cluster_external_ip=<vip> create
For example:
cluster --cluster_function_list="multicluster" --cluster_name "Demo" -s 10.46.141.71,10.46.138.20,10.46.138.26 --cluster_external_ip=10.46.141.70 --dns_servers 10.40.64.15,10.40.64.16 create
cd /home/nutanix/bin
python enable_calm.py
cluster status
docker cp /home/nutanix/bin/set_policy_calmvm.pyc nucalm:/home
docker cp /home/nutanix/bin/set_policy.sh nucalm:/home
docker exec nucalm /bin/sh -c '/home/set_policy.sh <POLICY_VM_IP> <POLICy_VM_UUID>'
Use the following steps to enable policy engine for Calm VM.
docker cp /home/nutanix/bin/set_policy_calmvm.py nucalm:/home
docker cp /home/nutanix/bin/set_policy.sh nucalm:/home
docker exec nucalm /bin/sh -c '/home/set_policy.sh <POLICY_VM_IP> <POLICY_VM_UUID>'
policy-engine.tar.gz
file from the Downloads page on to the policy
engine VM.
policy-engine.tar.gz
file.
upgrade.sh
.
docker ps
command to check the status of
policy containers, and wait for the containers to get healthy.
set_policy_calmvm.py
script from the
Downloads page into the
/home/nutanix/bin/
directory of your Calm VM
and provide the execute permission.
set_policy.sh
script from the Downloads page into the
/home/nutanix/bin/
directory of your Calm VM
and provide the execute permission.
By Default, Calm VM uses DHCP IP address. You can use the following procedure to launch Calm VM using a static IP address.
The following table lists the different tabs in Calm, their icons, and their usage:
Icons | Tab | Usage |
---|---|---|
Marketplace tab | To instantly consume application blueprints to provision applications. See Marketplace Overview. | |
Blueprint tab | To create, configure, publish, and launch single-VM or multi-VM blueprints. See Calm Blueprints Overview. | |
Application tab | To view and manage applications that are launched from blueprints. See Applications Overview. | |
Library tab | To create and use variable types and tasks. You use variables and tasks while configuring a blueprint. See Library Overview. | |
Runbooks tab | To automate routine tasks and procedures that pan across multiple applications without involving any blueprints or applications. See Runbooks Overview. | |
Endpoints tab | To create and manage target resources where the tasks defined in a runbook or in a blueprint can run. See Endpoints Overview. | |
Settings tab |
To enable or disable general settings. See General Settings in Calm. To configure and manage provider accounts. See Provider Account Settings in Calm. To configure and manage credential provider. See Configuring a Credential Provider. |
|
Policies tab | To schedule application actions and runbook executions. See Scheduler Overview. | |
Marketplace Manager tab | To manage approval and publishing of application blueprints. See Marketplace Manager Overview. | |
Projects tab | To create users or groups and assign permissions to use Calm. Projects tab also allows you to configure environment for your providers. See Projects Overview. |
You can use the following procedure to explore Calm user interface and get an overview of the Calm components.
You can use the following procedure to access the Calm REST API explorer console from the Calm user interface.
Calm manages the role-based access control using projects. Projects are logical groupings of user roles, accounts, VM templates, and credentials that are used to manage and launch blueprints and applications within your organization. For more information, see Projects Overview.
Users or groups are allowed to view, launch, or manage applications based on the roles that are assigned within the projects. Calm has the following roles for users or groups:
Project admins have full control of the project. They can perform reporting and user management, create blueprints, launch blueprints, and run actions on the applications.
Developers can create blueprints, launch blueprints, and run actions on the applications. They are, however, not allowed to perform reporting and user management.
Consumers can launch new blueprints from the marketplace and run actions on the applications. They are, however, not allowed to create their own blueprints.
Operators have minimum access and are allowed only to run actions against existing applications. They are not allowed to launch new blueprints or edit any existing blueprints.
The following table details the roles and responsibilities in Calm:
Prism Admin | Project Admin | Developer | Consumer | Operator | ||
---|---|---|---|---|---|---|
Marketplace | Enable and Disable | X | ||||
Manage | X | |||||
App publishing request | X | X | X | |||
Send App publishing request to the Administrator | X | X | ||||
Clone and edit App blueprint | X | X | X | |||
Blueprint | Create, update, delete, and duplicate | X | X | X | ||
Read-only | X | X | X | X | ||
Launch | X | X | X | X | ||
Applications | Complete App summary | X | X | X | X | X |
Run functions | X | X | X | X | X | |
App debug mode | X | X | X | X | X | |
Function edit | X | X | X | |||
Create App (brownfield import) | X | X | X | |||
Delete App | X | X | X | X | ||
Settings | CRUD | X | ||||
Task Library | View | X | X | X | X | X |
Create and Update | X | X | X | |||
Delete | X | |||||
Sharing with Projects | X | |||||
Projects | Add project | X | ||||
Update project | X | X | ||||
Add VMs to projects | X | |||||
Custom roles | ||||||
Users | Add users to the system and change roles | X | ||||
Add and remove users to or from a project | X | X | ||||
Change user roles in a project | X | X | ||||
Create Administrator | X | |||||
Create Project Administrator | X | X | ||||
Runbooks | Create and Update | X | X | X | ||
View | X | X | X | X | X | |
Delete | X | X | X | |||
Execute | X | X | X | X | X | |
Endpoints | Create and Update | X | X | X | ||
View | X | X | X | X | X | |
Delete | X | X | X | |||
Scheduler | Create, delete, and clone jobs | X | X | X | X | |
Read job and view execution status | X | X | X | X | X | |
Update job name, schedule, executable, and application action | X | X | X | X | ||
Edit operations on a blueprint launch | X | X | X | X | ||
Edit operations on runbook executions | X | X | X | X | ||
Edit operations on application actions | X | X | X | X | ||
Edit operations on Marketplace launch | X | X | X | X |
When you enable Calm, you get an out-of-the-box blueprint, a default project, and a preconfigured application profile with your Nutanix account. You can use the blueprint, project, and application profile to instantaneously launch your first application.
To quickly provision a Linux or Windows Infrastructure as a Service (IaaS) for your end users, you can configure and launch a single-VM blueprint in Calm.
Provisioning a Linux or Windows IaaS involves configuring the single-VM blueprint VM specifications and launching the blueprint.
The Settings tab allows you to control the overall administrative functionalities of the Calm instances. You must be a Prism Central administrator to access the Settings tab.
You can use the Settings > General tab to control the following functionalities:
Enable Nutanix Marketplace Applications to view and launch ready-to-use application blueprints. These application blueprints appear on the Marketplace Manager tab for publishing. You can publish the blueprints to the marketplace after associating them with a project.
Showback allows you to estimate the overall service cost of the applications running on your on-prem cloud. You can also view the graphical representation of the cost of the applications.
To enable and configure showback, see Enabling Showback.
Enable Showback to configure the resource cost of your applications and monitor them while you configure a blueprint or manage an application. Showback is applicable only for the Nutanix platform and the VMware through vCenter platform.
Disable showback to stop monitoring the resources cost of your application blueprints.
The policy engine is a single-VM setup for the single or scale-out Prism Central. When you enable the policy engine for your Calm instance, a new VM is created and deployed for the policy engine. All you need is an available IP address that belongs to the same network as that of your Prism Central VM for the policy engine VM.
As an administrator, you can enable the policy engine to:
The policy engine is a single-VM setup for the single or scale-out Prism Central.
When you enable the policy engine for your Calm instance, a new VM is created and deployed for the policy engine. All you need is an available IP address that belongs to the same network as that of your Prism Central VM for the policy engine VM.
You can enable the policy engine at a dark site.
<Calm version number>-CalmPolicyVM.qcow2
<Calm version number>-CalmPolicyVM.ova
After you enable the policy engine, you can set up the default quota values for vCPU, memory, and disk. This step is optional.
Setting up quota defaults saves you from repeatedly entering vCPU, memory, and disk quota values for each cluster. After you set the quota defaults, the default quota values populate automatically when you allocate quotas to your provider accounts.
After you enable policy engine, review the policy engine VM configuration, network configuration, and cluster information on the Policies tab of your Setttings page. For example, you can view the power status, protection status, or cluster name of the policy engine VM.
Disable the policy enforcement for your Calm instance if the policy engine VM encounters any connectivity issues or the policy engine VM is not responding.
You can enable approvals for your Calm instance from the settings page.
When you enable approvals, events such as runbook executions, application launch, and application day-2 operations that match the conditions defined in the approval policy go through the approval process.
You can disable approvals for your Calm instance from the Settings page.
When you enable approvals, events such as runbook executions, application launch, and application day-2 operations do not go through the approval process even when they match the conditions defined in the approval policy.
You can view the configuration details and email template on the Policies tab of the Settings page.
The content of the email templates for approver or requester can be modified only using the APIs. You can use the following supported email template variables.
You can use these variables with the {{}} syntax. For example, {{.PCIP}} .
You can view the protection and recovery status of a Calm application when:
You can view the protection and recovery status of the application on the Application Overview page. For more information, see Overview Tab.
To enable the option to show application protection status, see Enabling Application Protection Status View.
Enable the Show App Protection Status toggle button to view the protection and recovery status of a Calm application that is deployed on a Nutanix platform. You must be a Prism Central administrator to enable or disable the toggle button.
Calm automatically archives run logs of the deleted applications and custom actions that are older than three months. You can download the archives within 7 days from the time of archive creation.
For a running application, data is not archived for the system-generated Create actions.
You can get the following information for Start, Restart, Stop, Delete, and Soft Delete system-generated actions and user-created actions.
Calm archives all action details of a deleted application.
Only an administrator can view and download the application log archive. For more information, see Downloading Application Log Archive.
Calm periodically archives application logs to clear resources. You can download the archived application logs from the Settings tab.
Provider accounts are cloud services, baremetals, or existing machines that you can use to deploy, monitor, and govern your applications. You can configure multiple accounts of the same provider.
Use the Settings > Accounts tab to configure provider accounts. You configure provider accounts (by using the provider credentials) to enable Calm to manage applications by using your virtualization resources.
Calm supports the following provider accounts:
Provider Accounts | Description |
---|---|
Nutanix |
All the AHV clusters that are registered to the Prism Central instance are
automatically added as providers.
Note:
If you want to add a remote Prism Central (PC)
instance as a provider in a multi-PC setup, you must add the remote PC instance as
an account in Calm. For more information, see Configuring a Remote Prism Central Account.
|
VMware | To configure a VMware account, see Configuring a VMware Account. |
AWS | To configure an AWS account, see Configuring an AWS Account. |
Azure | To configure an Azure account, see Configuring an Azure Account. |
GCP | To configure a GCP account, see Configuring a GCP Account. |
Kubernetes | To configure a Kubernetes account, see Configuring a Kubernetes Account. |
Xi Cloud | To configure Xi Cloud as a provider, see Configuring a Xi Cloud Account. |
All AHV clusters that are registered to your Prism Central instance are automatically added as provider accounts to Calm.
You can also configure any remote Prism Central (PC) as an account in Calm to deploy applications on the remote PC. For more information, see Support for Multi-PC Setup.
In a multiple Prism Centrals (multi-PC) setup, a central Calm instance (called global Calm instance) runs only on one of the PCs (called host or parent PC) and all the other PCs are connected to the central Calm instance as the remote PCs.
The global Calm instance can now manage the applications deployed on the geographically distributed Prism Centrals (also called remote PCs) without the need of separate Calm instances for every PC. A remote PC is only used to provision the tasks for the deployed applications.
In a multi-PC environment, every remote PC is added as an account to the host PC and you can add the account to your project before creating and launching a blueprint.
For more information about adding a remote PC as an account, see Configuring a Remote Prism Central Account.
For more information about adding the account to a project, see Adding Accounts to a Project.
To deploy an application on a remote PC, you must configure the remote PC as an account in Calm.
You require the role of a Prism Admin to configure a remote PC account.
For more information about multiple Prism Central setup support, see Support for Multi-PC Setup.
Calm lets you use Virtual Private Clouds within the Flow Virtual Networking framework to network the VMs using overlay networks. A VPC is an independent and isolated IP address space that functions as a logically isolated virtual network. VMs that you create with VPC Subnets cannot communicate with a VM that is outside the VPC. Even the VMs outside the VPC cannot reach the VMs within the VPC.
In the absence of this direct communication, you can set up tunnels to communicate with the VMs within the VPC for orchestration activities and to run script-based tasks. You can set up the tunnel VM in any one of the subnets within the VPC.
To set up tunnels for your VPCs, you must:
For more information on creating VPC tunnels, see Creating VPC Tunnels.
In your Nutanix account, you set up tunnels to get access to the VMs that are created within the VPCs.
The tunnels that you create enables you to perform check log-in and run script-based execution tasks on the VMs that use the overlay subnets of the VPC.
If tunnel is not configured for the selected VPC, you can only perform basic operations (such as VM provisioning) on the VPC.
Configure your VMware account in Calm to manage applications on the VMware platform.
To refer to the video about setting up VMware as provider, click here.
The following table provides the complete list of permissions that you need to enable in vCenter before you configure your VMware account in Calm.
Entity | Permission |
---|---|
Datastore |
|
Network |
|
Resource |
|
vSphere Tagging |
|
Virtual Machine > Change Configuration |
|
Virtual Machine > Interaction |
|
Virtual Machine > Edit Inventory |
|
Virtual Machine > Provisioning |
|
You must define the custom role at the vCenter level instead of the Datacenter level. For information on how to enable permissions in vCenter, see the vSphere Users and Permissions section in the VMware documents.
Calm supports the following versions of vSphere.
Configure your AWS account in Calm to manage applications on the AWS platform.
nutanix@cvm$ ncli cluster get-name-servers
GovCloud (US) is an isolated AWS region to help the United States government agencies and federal IT contractors host sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements.
The AWS GovCloud (US) region supports the management of regulated data by restricting physical and logical administrative access to U.S. citizens only.
To manage applications on the AWS platform using Calm, you must have a privileged AWS user account with an appropriate policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListSSHPublicKeys",
"iam:GetSSHPublicKey",
"iam:GetAccountPasswordPolicy",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"ec2:CreateImage",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:DisassociateIamInstanceProfile",
"ec2:RegisterImage",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot",
"ec2:GetConsoleOutput",
"ec2:Describe*",
"ec2:DeleteTags",
"ec2:TerminateInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["iam:ListUserPolicies"],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Effect": "Allow",
"Action": ["iam:PassRole"],
"Resource": ["arn:aws:iam::*:role/*"]
}
]
}
The following table displays the list of user policy privileges and the corresponding JSON attributes that you can add in the JSON syntax to assign different privileges to a user.
To create | JSON attributes |
---|---|
EC2 Instances |
ec2:RunInstances
|
Volumes |
ec2:CreateVolume
|
Snapshot |
ec2:CreateSnapshot
|
Image(AMI) |
ec2:CreateImage
|
To list or get | JSON attributes |
SSH Public Keys for all users |
iam:ListSSHPublicKeys
|
List IAM Roles |
iam:ListRoles
|
EC2 attributes |
ec2:Describe*
|
EC2 instance console output |
ec2:GetConsoleOutput
|
IAM user policies for the user |
iam:ListUserPolicies
|
To update | JSON attributes |
Image(AMI) attributes |
ec2:ModifyImageAttribute
|
To delete | JSON attributes |
EC2 Instances |
ec2:TerminateInstances
|
Instance Tags |
ec2:DeleteTags
|
Snapshot |
ec2:DeleteSnapshot
|
Images(deregister images) |
ec2:DeregisterImage
|
Others | JSON attributes |
Start/Stop/Restart Instances |
ec2:RunInstances, ec2:StartInstances, ec2:StopInstances,
ec2:RebootInstances
|
Pass and IAM role to service |
iam:PassRole
|
Configure your GCP account in Calm to manage applications on the GCP platform.
Configure your Azure account in Calm to manage applications on the Azure platform.
You must have a privileged Azure user account to manage applications on an Azure platform using Calm.
To refer to a video about assigning minimum privilege to configure Azure account to work with Calm, click here.
{
"Name": "Calm Admin",
"IsCustom": true,
"Description": "For calm to manage VMs on azure provisioned from calm applications",
"Actions": [
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/checknameavailability/read",
"Microsoft.Storage/skus/read",
"Microsoft.Network/virtualNetworks/subnets/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/networkSecurityGroups/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/publicIPAddresses/*",
"Microsoft.Network/publicIPPrefixes/*",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/write",
"Microsoft.Compute/disks/*",
"Microsoft.Compute/images/read",
"Microsoft.Compute/images/write",
"Microsoft.Compute/locations/publishers/read",
"Microsoft.Compute/locations/publishers/artifacttypes/offers/read",
"Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/read",
"Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/versions/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/snapshots/*",
"Microsoft.Compute/locations/vmSizes/read",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.GuestConfiguration/*/read",
"Microsoft.GuestConfiguration/*/write",
"Microsoft.GuestConfiguration/*/action",
"Microsoft.Compute/galleries/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/vaults/deploy/action"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/<subscription id>"
]
}
az role definition create --role-definition <file>.json
az ad sp create-for-rbac -n "CalmAccount" --role "Calm Admin"
Configure your Kubernetes account in Calm to manage applications on the Kubernetes platform.
For Calm to manage workloads on Amazon EKS, Azure Kubernetes Service (AKS), or Anthos, enable the generic authentication mechanism and create a service account on the Kubernetes cluster. You can then use the service account to communicate with the cluster.
kubectl create serviceaccount ntnx-calm
kubectl create clusterrolebinding ntnx-calm-admin --clusterrole
cluster-admin --serviceaccount default:ntnx-calm
SECRET_NAME=$(kubectl get serviceaccount ntnx-calm -o
jsonpath='{$.secrets[0].name}')
kubectl get secret ${SECRET_NAME} -o jsonpath='{$.data.token}' |
base64 –decode
kubectl config view --minify --raw -o
jsonpath='{.clusters[*].cluster.certificate-authority-data}' | base64
–decode
To manage workloads on Nutanix Xi Cloud, add your Xi Cloud as an account in Calm if your Prism Central is paired with a Xi cloud. Calm automatically discovers the availability zones of the Xi Cloud and allows you to add the Xi Cloud account as a provider account.
Calm automates the provisioning and management of infrastructure resources for both private and public clouds. When any configuration changes are made directly to the Calm-managed resources, Calm needs to sync up the changes to accurately calculate and display quotas and Showback information.
Platform sync enables Calm to synchronize any changes in the clusters that are managed by Calm on connected providers. These changes can be any IP Address changes, disk resizing, unavailability of VMs, and so on.
For example, when a VM is powered off externally or deleted, platform sync updates the VM status in Calm. Calm then adds the infrastructure resources consumed by the VM (memory and vCPU) to the total available quota.
You can specify an interval after which the platform sync must run for a cluster. For more information, see Configuring a Remote Prism Central Account and Configuring a VMware Account.
Platform sync enables Calm to synchronize any changes in the clusters that are managed by Calm on connected providers. These changes can be any IP Address changes, disk resizing, unavailability of VMs, and so on. You can sync up the configuration changes instantly for your accounts.
Allocate resource quotas to your accounts to have a better control over the infrastructure resources (computer, memory, and storage) that are provisioned through Calm. Based on the resource quota you allocate, the policy engine enforces quota checks when applications are launched, scaled-out, or updated.
Use the utilization report to analyze how the projects to which the cluster is assigned consumed the allocated resources of the cluster. For example, if a Nutanix cluster is assigned to three different projects, you can analyze how the assigned projects consumed the allocated resources of that cluster.
Credentials help in abstracting identity settings while connecting to an external system. Credentials are used to authenticate a user to access various services in Calm. Calm supports key-based and password-based authentication method.
Credentials are used in multiple Calm entities and workflows.
Environment allows a Project Admin to add multiple credentials and configure VM default specifications for each of the selected providers as a part of project and environment configurations.
Project admins must configure an environment before launching an application from the marketplace. The recommendation is to have at least one credential of each secret type (SSH or password) to be defined under each environment in the project. These values get patched wherever the credential values are empty when you launch your marketplace items.
Developers can add credentials to a blueprint. These credentials are referenced after the VM is provisioned. Credentials defined within an environment of a project have no significance or impact on the credentials you define within the blueprint.
Calm supports export and import of blueprints across different Prism Central or Calm instances along with the secrets. The developer uses a passphrase to encrypt credentials and then decrypts credentials in a different instance using the same passphrase to create a blueprint copy.
All global marketplace items have empty credentials values. However, locally published blueprints can have the credential values if the developer published the blueprint with the Publish with Secret s option enabled.
When you launch a marketplace item, credentials are patched wherever the value is empty. In case there are multiple credentials of a particular type configured within the environment of a project, you get the option to select a credential for the launch.
Owners can change the credential value of an application multiple times until the application is deleted. The latest value of a credential that is available at that point in the application instance is used when an action is triggered.
Any change in the credential value at the application level does not impact the credential value at the corresponding blueprint level.
Calm allows managing the following types of credentials:
Static credentials in Calm are modelled to store secrets (password or SSH private key) in the credential objects that are contained in the blueprints that the applications copy.
Calm supports external credential store integration for dynamic credentials. A credential store holds username and password or key certificate combinations and enables applications to retrieve and use credentials for authentication to external services whenever required. As a developer, you can:
For more information about configuring a credential provider, see Configuring a Credential Provider.
When a blueprint uses a dynamic credential, the secret (password or SSH private key) is not stored in the credential objects within the blueprint. The secret values are fetched on demand by executing the runbook within the credential provider that you configure in Calm and associate with the blueprint.
Calm supports external credential store integration for dynamic credentials.
As a developer, you can define variable, runbook, and attributes in a dynamic credential provider definition.
A project defines Active Directory users or groups to manage common set of requirements or functions. For example, a project can define a team collaborating on an engineering project. A project specifies roles to associate its members, select existing networks that the deployed VMs can use, and (optionally) set usage limits on infrastructure resources.
The refactored project provides a consistent experience when you access it from Prism Central or from Calm. However when Calm is enabled, you can also configure application management specific features in your projects.
For more information on the Project Summary view and Project Details view, see Project Summary View and Project Details View.
For more information on how to create a project, add users, add infrastructure, configure environments, and managing quota and snapshot policies, see Projects Overview in the Prism Central Guide.
A blueprint is the framework for every application that you model by using Calm. Blueprints are templates that describe all the steps that are required to provision, configure, and execute tasks on the services and applications that you create.
You create a blueprint to represent the architecture of your application and then run the blueprint repeatedly to create an instance, provision, and launch applications.
A blueprint also defines the lifecycle of an application and its underlying infrastructure; starting from the creation of the application to the actions that are carried out on a blueprint until the termination of the application.
You can use blueprints to model the applications of various complexities; from simply provisioning a single virtual machine to provisioning and managing a multi-node, multi-tier application.
Calm uses services, application profiles, packages, substrates, and actions as building blocks for a blueprint to define applications.
An application is made up of multiple components (or services) working together. The architecture of an application is composed of compute, storage, network, and their connections and dependencies. Services are logical entities that are exposed by an IP address. End users and services communicate with each other over a network through their exposed IP addresses and ports. For more information, see Services Overview.
Any useful blueprint requires infrastructure for instantiation. A blueprint can specify the exact infrastructure or can be completely left to the blueprint user to specify at the time of instantiation.
An application profile provides different combinations of the service, package, and VM (infrastructure choices) while configuring a blueprint. The application profile allows you to use the same set of services and packages on the different platforms. You select an application profile while launching your blueprint.
Application profiles determine where an application should run, for example, on a Nutanix provider account or on an Azure account. Application profiles also control the T-shirt sizing of an application. T-shirt sizing means that the value of a variable might change based on the selection of a small or a large instance of an application.
If Showback feature is enabled, the application profile also displays service cost of the resources used for an application.
Package Install and Uninstall are operations that are run when you first launch a blueprint or when you finally delete the entire application. In other words, these operations are run during the Create or Delete profile actions. Package Install and Uninstall are unique to each application profile, which means that the tasks or the task contents can vary depending upon the underlying cloud or the size.
Package install is commonly used for installing software
packages. For example, installing PostgreSQL with
sudo yum -y install
postgresql-server postgresql-contrib
.
Substrates are a combination of the underlying cloud and the virtual machine instance. When you select the desired cloud, Calm displays all of the fields required for creating a virtual machine instance on that particular cloud. The combination of all these fields constitutes a substrate. Substrates are the infrastructure abstraction layer for Calm. Calm can quickly change where or how applications are deployed by simply changing the substrate.
Actions are runbooks to accomplish a particular task on your application. You can use actions to automate any process such as backup, upgrade, new user creation, or clean-up, and enforce an order of operations across services. For more information, see Actions Overview.
Calm also has a few other components that you can use while configuring your blueprints.
Calm macros are part of a templating language for Calm scripts. These are evaluated by Calm's execution engine before the script is run. Macros help in making scripts generic and creating reusable workflows. For more information, see Macros Overview.
Variables are either user defined or added to the entities by Calm. Variables are always present within the context of a Calm entity and are accessible directly in scripts running on that entity or any of its child entities. For more information, see Variables Overview.
Categories (or tags) are metadata labels that you assign to your cloud resources to categorize them for cost allocation, reporting, compliance, security, and so on. Each category is a combination of key and values. For more information, see Categories Overview.
Dependencies are used to define the dependence of one service in your application on another service or multiple other services for properties such as IP addresses and DNS names. For example, if service 2 is dependent on service 1, then service 1 starts first and stops after service 2.
For information about how to define dependencies between services, see Setting up the Service Dependencies.
You can configure the following blueprint types in Calm.
A single-VM blueprint is a framework that you can use to create and provision an instance and launch applications that require only one virtual machine. Single-VM blueprints enable you to quickly provide Infrastructure-as-a-Service (IaaS) to your end users. For more information, see Creating a Single-VM Blueprint.
A multi-VM blueprint is a framework that you can use to create an instance, provision, and launch applications requiring multiple VMs. You can define the underlying infrastructure of the VMs, application details, and actions that are carried out on a blueprint until the termination of the application. For more information, see Creating a Multi-VM Blueprint.
The blueprint editor provides a graphical representation of various components that allow you to visualize and configure the components and their dependencies in your environment.
Use the Blueprints tab to perform actions, such as:
Services are the virtual machine instances, existing machines or bare-metal machines, that you can provision and configure by using Calm. You can either provision a single service instance or multiple services based on the topology of your application. A service can only expose an IP address and ports on which the request is received. After a service is configured, you can clone or edit the service as required.
A service includes the following entities:
A VM defines the configuration of the virtual machine instance, the platform on which the VM will be installed, and the connection information of the machine. For example, as shown in the following figure, you need to define the name, cloud, operating system, IP address, and the connection information for an existing machine.
A package enables you to install and uninstall software on an existing machine or bare metal machine by using a script. You need to provide the credentials of the VM on which you need to run the script. A sample script is shown in the following figure. Package also defines the port number and the protocol that is used to access the service.
A service enables you to create the variables that are used to define the service-level tasks and service-level actions. As part of the service, you can also define the number of replicas that you want to create of a service. The maximum number of replicas allowed is 300.
For information about how to configure a service, see Configuring Nutanix and Existing Machine VM, Package, and Service.
Calm macros are part of a templating language for Calm scripts. These are evaluated by Calm's execution engine before the script is run.
Macros enable you to access the value of variables and properties that are set on entities. The variables can be user defined or system generated. For more information, see Variables Overview.
Macros help in making scripts generic and creating reusable workflows. You can use macros in tasks within the blueprints or in the configuration of Calm entities, such as the VM name.
Macros require a set of delimiters for evaluation. These are @@{ and }@@ . Everything within these delimiters is parsed and evaluated. For example,
Macros support the following entities.
Macros support the following data types.
Data Type | Usage |
---|---|
String |
@@{"some string"}@@ or @@{'some string'}@@
Note:
Newline or other such special
characters are not supported. You can use \ to escape quotes.
|
Numbers |
Supports integer and float. For example, @@{ 10 + 20.63 }@@
Note:
All variables
are treated as strings.
|
Macros support the following operations.
Calm allows you to access macros of an array service using a special macro which starts with calm_array . You can configure a VM with replicas and access the common macros of all the replicas. For example, you can:
@@{calm_array_name}@@
@@{calm_array_address}@@
@@{calm_array_id}@@
The following table lists the built-in macros that you can use to retrieve and display the entities.
Macro | Usage |
---|---|
@@{calm_array_index}@@ | Index of the entity within an array |
@@{calm_blueprint_name}@@ | Name of the blueprint from which the application was created |
@@{calm_blueprint_uuid}@@ | Universally unique identifier (UUID) of the blueprint from which the application was created |
@@{calm_application_name}@@ | Name of the application |
@@{calm_application_uuid}@@ | UUID of the application |
@@{calm_uuid}@@ | UUID of the entity within the application on which the current task is running |
@@{calm_random}@@ | A random number is generated each time this is used. This will be evaluated each time and should not be used in fields such as VM name. |
@@{calm_unique}@@ | A random number that is unique to this replica. This will be evaluated to the same value across runs. |
@@{calm_jwt}@@ | JWT for the currently logged in user for API authentication. |
@@{calm_now}@@
@@{calm_today}@@ |
The current time stamp |
@@{calm_time(“<format>”)}@@ | The current time in the specified format |
@@{calm_year(“YYYY”)}@@
@@{calm_year(“YY”)}@@ |
The current year in YYYY or YY format |
@@{calm_month(“short”)}@@
@@{calm_month(“long”)}@@ |
Name of the current month in long or short format |
@@{calm_day(“month”)}@@
@@{calm_day(“year”)}@@ |
Numeric day of the month or year |
@@{calm_weeknumber}@@
@@{calm_weeknumber(“iso”)}@@ |
ISO Numeric week of the year |
@@{calm_weekday(“number”)}@@
@@{calm_weekday(“name_short”)}@@ @@{calm_weekday(“name_long”)}@@ |
Day of the week in numeric or short name or long name |
@@{calm_hour(“12”)}@@
@@{calm_hour(“24”)}@@ @@{calm_hour(“am_pm”)}@@ |
Numeric hour of the day in 12:00-hour or 24:00-hour format along with AM or PM |
@@{calm_minute}@@ | Numeric minute |
@@{calm_second}@@ | Numeric second |
@@{calm_is_weekday}@@ | Displays 1 if the current day is a weekday |
@@{calm_is_long_weekday}@@ | Displays 1 if the current day is a weekday from Monday to Saturday |
@@{calm_is_within("time1", "time2")}@@ | Displays 1 if the current time is within the time1 and time2 range |
@@{calm_project_name}@@ | Displays the project name |
@@{calm_username + @nutanix.com}@@ | Displays the username |
@@{calm_float("32.65") * 2}@@
@@{calm_int(calm_array_index) + 1}@@ |
Typecast to integer. This is useful for binary operations. |
@@{calm_string(256) + "-bit"}@@
@@{"xyz" + calm_string(42)}@@ |
Typecast to string. This is useful for string concatenation. |
@@{calm_b64encode(api_response)}@@
@@{calm_b64encode("a,b,c")}@@ |
Base64 encode the data passed to this macro. |
@@{calm_b64encode(b64_encoded_data)}@@
@@{calm_b64encode("YSxiLGM=")}@@ |
Base64 decode the data passed to this macro. |
You can access the properties of a VM by using the platform macros. The following section describes the macros to access the VM properties for different providers.
Macro | Usage |
---|---|
@@{platform}@@ | To access all the properties of a VM. |
@@{platform.status.cluster_reference.uuid}@@ | To access the uuid of the cluster or the Prism element. |
@@{platform.status.resources.nic_list[0].mac_address}@@ |
To access mac the address.
Note:
Use the
nic_list
index to
access the mac address of a specific nic.
|
@@{platform.status.resources.nic_list[0].subnet_reference.name}@@ | To access the NIC name. |
@@{platform.status.resources.power_state}@@ | To get the state of the VM. |
@@{platform.status.num_sockets}@@ | To access number of sockets of the VM. |
Macro | Usage |
---|---|
@@{platform}@@ | To access all the properties of a VM. |
@@{platform.datastore[0].Name}@@ | To access the datastore name. |
@@{platform.num_sockets}@@ | To access number of sockets of the VM. |
Macro | Usage |
---|---|
@@{platform}@@ | To access all the properties of a VM. |
@@{platform.creationTimestamp}@@ | To get the VM creation time stamp. |
@@{platform.selfLink}@@ | To access the self link of the VM. |
@@{platform.networkInterfaces[0].subnetwork}@@ | To access the network details of the VM. |
The following table lists the endpoint macros for HTTP, Linux, and Windows endpoint types.
Macro | Usage |
---|---|
@@{endpoint.name}@@ | Name of the endpoint |
@@{endpoint.type}@@ | Type of the endpoint |
@@{endpoint.length}@@ | Number of IP Addresses in the endpoint |
@@{endpoint.index}@@ | Index of the IP address or VM in a given endpoint |
@@{endpoint.base_url}@@ | Base URL of the HTTP endpoint |
@@{endpoint.connection_timeout}@@ | Time interval in seconds after which the connection attempt to the endpoint stops |
@@{endpoint.retry_count}@@ | Number of attempts the system performs to create a task after each failure |
@@{endpoint.retry_interval}@@ | Time interval in seconds for each retry if the task fails |
@@{endpoint.tls_verify}@@ | Verification for the URL of the HTTP endpoint with a TLS certificate |
@@{endpoint.proxy_type}@@ | HTTP(s) proxy/SOCKS5 proxy to use |
@@{endpoint.base_urls}@@ | Base URLs of HTTP endpoints |
@@{endpoint.authentication_type}@@ | Authentication method to connect to an HTTP endpoint: Basic or None |
@@{endpoint.credential.username}@@ | User name in the credential to access the endpoint |
@@{endpoint.credential.secret}@@ | Credential secret type to access the endpoint: Passphrase or SSH Private Key |
Macro | Usage |
---|---|
@@{endpoint.name}@@ | Name of the endpoint |
@@{endpoint.type}@@ | Type of the endpoint |
@@{endpoint.length}@@ | Number of IP Addresses in the endpoint |
@@{endpoint.index}@@ | Index of the IP address or VM in a given endpoint |
@@{endpoint.address}@@ | IP address to access the endpoint device |
@@{endpoint.port}@@ | Port number to access the endpoint |
@@{endpoint.value_type}@@ | Target type of the endpoint: IP address or VM |
@@{endpoint.addresses}@@ | IP addresses to access endpoint devices |
@@{endpoint.credential.secret}@@ | Credential secret type to access the endpoint: Passphrase or SSH Private Key |
@@{endpoint.credential.username}@@ | User name in the credential to access the endpoint |
Macro | Usage |
---|---|
@@{endpoint.name}@@ | Name of the endpoint |
@@{endpoint.type}@@ | Type of the endpoint |
@@{endpoint.length}@@ | Number of IP Addresses in the endpoint |
@@{endpoint.index}@@ | Index of the IP address or VM in a given endpoint |
@@{endpoint.address}@@ | IP address to access the endpoint device |
@@{endpoint.port}@@ | Port number to access the endpoint |
@@{endpoint.value_type}@@ | Target type of the endpoint: IP address or VM |
@@{endpoint.connection_protocol}@@ | Connection protocol to access the endpoint: HTTP or HTTPS |
@@{endpoint.addresses}@@ | IP addresses to access endpoint devices |
@@{endpoint.credential.secret}@@ | Credential secret type to access the endpoint: Passphrase or SSH Private Key |
@@{endpoint.credential.username}@@ | User name in the credential to access the endpoint |
The following table lists the runbook macros.
Macro | Usage |
---|---|
@@{calm_runbook_name}@@ | Name of the runbook |
@@{calm_runbook_uuid}@@ | Universally unique identifier (UUID) of the runbook |
The following table lists the common properties of the virtual machine that are available for usage.
Properties | Usage |
---|---|
@@{address}@@ | IP address of the instance that is used by Calm to access the VM |
@@{id}@@ | ID of the platform identifier |
@@{name}@@ | Name of the VM or container |
@@{mac_address}@@ | Mac address of the VM |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
Macros provide a way to access the values of variables that you set on entities. Variables are either user defined or added to the entities by Calm. Variables are always present within the context of a Calm entity and are accessible directly in scripts running on that entity or any of its child entities.
The variable value of a parent entity can be accessed by the child entity unless the properties or the variables are overridden by another entity.
For example, if Variable1 is a variable that you defined on the application profile, then all child entity of the application profile can directly access the value of Variable1 in any task or script running on it as @@{variable1}@@ unless overridden by another entity.
Variables are directly accessed as @@{variable_name}@@ within any task on an entity where the variable is defined and all child entity that inherit this variable. This syntax only delivers the value for the corresponding replica in which the task is running. To get comma-separated values across replicas, you can use @@{calm_array_variable_name}@@ .
For example, on a service with 2 replicas, if you set a backup_dir variable through a set variable Escript task such as:
print "backup_dir=/tmp/backup_@@{calm_array_index}@@"
You get /tmp/backup_0 and /tmp/backup_1 values for replica 0 and 1 respectively.
When a task runs on this service with the echo "@@{backup_dir}@@" script, the script evaluates the following values in each replica of the service:
/tmp/backup_0
/tmp/backup_1
When you change the script to echo "@@{calm_array_backup_dir}@@" , the script evaluates to the following values in each replica of the service:
/tmp/backup_0,/tmp/backup_1
/tmp/backup_0,/tmp/backup_1
The syntax to access the value of variables or properties of other entities or dependencies is @@{<entity name>.<variable/attribute name>}@@ where entity name , is the name of the other entity or dependency and variable/attribute name is the name of the variable or attribute. For example:
Action-level variables are variables that are associated to an action and passed as an argument to the runlog when you run the action. Service action variables are unique for each service while the profile action variables are unique for each profile across all services and replicas. If you deploy five replicas, the service action variables will be the same across all replicas.
Action variables are used in the context of running an action and are defined at the action level. For example, if you have an action to install or uninstall a package on a particular VM, you can have the following action variables.
With multiple runs of this action, you can then install or uninstall multiple packages on the VM.
The following table lists the Nutanix variables that are available for usage.
Variables | Usage |
---|---|
@@{address}@@ | IP address of the instance that is used by Calm to access the VM |
@@{id}@@ | ID of the platform identifier |
@@{name}@@ | Name of the VM or container |
@@{mac_address}@@ | Mac address of the VM |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the built-in VMware macros that you can use to retrieve and display the entities.
Properties | Usage |
---|---|
@@{address}@@ | IP address of the instance that is used by Calm to access the VM |
@@{id}@@ | ID of the platform identifier |
@@{name}@@ | Name of the VM or container |
@@{mac_address}@@ | Mac address of the VM |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the built-in AWS macros that you can use to retrieve and display the entities.
Macros | Usage |
---|---|
@@{address}@@ |
IP address of the instance that is used by Calm to access the VM.
Note:
The
VM Name
field does not support this macro.
|
@@{id}@@ |
Internal ID of the instance that is used within the Prism.
Note:
The
VM Name
field does not support this macro.
|
@@{name}@@ |
Name of the VM.
Note:
The
VM Name
field does not support
this macro.
|
@@{aws_instance_id}@@ | Instance ID of AWS |
@@{private_ip_address}@@ | Private IP address |
@@{private_dns_name}@@ | Private DNS name |
@@{public_ip_address}@@ | Public IP address |
@@{public_dns_name}@@ | Public DNS name |
@@{vm_zone}@@ | AWS zone of instance |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the built-in GCP macros that you can use to retrieve and display the entities.
Macros | Usage |
---|---|
@@{address}@@
@@{ip_address}@@ @@{public_ip_address}@@ |
IP address of the instance that is used by Calm to access the VM.
Note:
The
VM Name
field does not support this macro.
|
@@{id}@@ |
Internal ID of the instance that is used within the Prism.
Note:
The
VM Name
field does not support this macro.
|
@@{name}@@ |
Name of the VM.
Note:
The
VM Name
field does not support
this macro.
|
@@{zone}@@ | Zone in which the VM instance is created. |
@@{platform_data}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
@@{internal_ips}@@ | List of all the private IP addresses. |
@@{external_ips}@@ | List of all the public IP addresses. |
The following table lists the built-in Azure macros that you can use to retrieve and display the entities.
Macros | Usage |
---|---|
@@{address}@@ |
IP address of the instance that is used by Calm to access the VM.
Note:
The
VM Name
field does not support this macro.
|
@@{id}@@ |
Internal ID of the instance that is used within the Prism.
Note:
The
VM Name
field does not support this macro.
|
@@{name}@@ |
Name of the VM.
Note:
The
VM Name
field does not support
this macro.
|
@@{private_ip_address}@@ | Private IP address |
@@{public_ip_address}@@ | Public IP address |
@@{resource_group}@@ | Resource group name in which the VM instance is created. |
@@{platform_data}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the Kubernetes variables that are available for usage.
Properties | Usage |
---|---|
@@{K8sPublishedService.address}@@ | IP address of the service. |
@@{K8sPublishedService.name}@@ | Name of the service. |
@@{K8sPublishedService.ingress}@@ | Load balancer IP for public service. |
@@{K8sPublishedService.platform}@@ | Platform data for the service. |
@@{K8sDeployement.name}@@ | Name of the deployment. |
@@{K8sDeployement.platform}@@ | Platform data for the deployment. |
Categories (or tags) are metadata labels that you assign to your cloud resources to categorize them for cost allocation, reporting, compliance, security, and so on. Each category is a combination of key and values.
Your providers impose a limit to the number of tags that you can use for cloud governance. The following table lists the category or tag limit imposed by each provider:
Providers | Category or Tag Limit |
---|---|
Nutanix | 30 |
AWS | 50 |
VMware | No limit |
GCP | 15 |
Azure | 15 |
Calm reserves 6 tags out of the total tags allowed by your provider and populates them automatically when you provision your VMs using Calm. For example, AWS allows a limit of 50 tags. When you provision your VM on AWS using Calm, 6 out of 50 tags are automatically populated with keys and values specific to Calm VM provisioning. You can use the remaining 46 tags to define other key-value pairs.
The following table lists the Calm-specific categories or tags and their availability for different providers:
Categories or Tags | Nutanix | AWS | VMware | GCP | Azure |
---|---|---|---|---|---|
account_uuid | X | X | X | X | |
CalmApplication | X | X | X | X | X |
CalmService | X | X | X | X | X |
CalmUsername | X | X | X | X | X |
Calm Project | X | X | X | X | |
OSType | X | X | X | X | X |
A single-VM blueprint is a framework that you can use to create and provision an instance and launch applications that require only one virtual machine.
Single-VM blueprints enable you to quickly provide Infrastructure-as-a-Service (IaaS) to your end users.
You can create single-VM blueprints with your Nutanix, VMware, AWS, GCP, or Azure accounts. Use these steps to create a single-VM blueprint with any of your provider accounts.
Perform the following steps to do the preliminary setup of your single-VM blueprint.
Perform the following steps to add VM details to your blueprint.
Configuring the VM in your blueprint is specific to the provider account and the operating system you select for your blueprint. You can configure the VM in a blueprint with Nutanix, VMware, AWS, GCP, or Azure accounts.
Perform the following steps to configure the VM in a single-VM blueprint for your Nutanix account.
vm-@@{calm_time}@@
. For more information on Calm macros,
see Macros Overview.
Perform the following steps to configure the VM in a single-VM blueprint for your VMware account.
Templates allow you to create multiple virtual machines with the same characteristics, such as resources allocated to CPU and memory or the type of virtual hardware. Templates save time and avoid errors when configuring settings and other parameters to create VMs. The VM template retrieves the list options from the configured vCenter.
For more information, refer to VMware KB articles.
A content library stores and manages content (VMs, vApp templates, and other types of files) in the form of library items. A single library item can consist of one file or multiple files. For more information about the vCenter content library, see the VMware Documentation .
Perform the following steps to configure the VM in a single-VM blueprint for your GCP account.
Perform the following steps to configure the VM in a single-VM blueprint for your AWS account.
Perform the following steps to configure the VM in a single-VM blueprint for your Azure account.
The Resource Group list displays the resource groups that are associated with the subscriptions you selected in your Azure account. In case you have not selected any subscriptions, Calm considers all the subscriptions that are available in the Azure service principal to display the resource groups. Each resource group in the list also displays the associated subscription.
Perform the following steps to configure the VM in a single-VM blueprint for your Xi Cloud account.
vm-@@{calm_time}@@
. For more information on Calm macros,
see Macros Overview.
Xi Infrastructure Service Admininistration
Guide
.
Perform the following steps to configure advanced options such as credentials, packages, pre-create and post-delete tasks. Configuring advanced options is optional for a blueprint.
Perform the following steps to configure pre-create task, post-delete task, install package, or uninstall package in a single-VM blueprint.
Perform the following steps to configure application variables in your blueprint.
[
{
"display": "HTML Tutorial",
"url": "https://www.w3schools.com/html/default.asp"
},
{
"display": "CSS Tutorial",
"url": "https://www.w3schools.com/css/default.asp"
},
{
"display": "JavaScript Tutorial",
"url": "https://www.w3schools.com/js/default.asp"
},
{
"display": "jQuery Tutorial",
"url": "https://www.w3schools.com/jquery/default.asp"
},
{
"display": "SQL Tutorial",
"url": "https://www.w3schools.com/sql/default.asp"
},
{
"display": "PHP Tutorial",
"url": "https://www.w3schools.com/php/default.asp"
},
{
"display": "XML Tutorial",
"url": "https://www.w3schools.com/xml/default.asp"
}
]
Then,
during the launch time the list options are ["HTML Tutorial","CSS
Tutorial","JavaScript Tutorial","jQuery Tutorial","SQL Tutorial","PHP
Tutorial","XML Tutorial"].
A multi-VM blueprint is a framework that you can use to create an instance, provision, and launch applications that require multiple VMs.
In a Multi-VM blueprint, you can define the underlying infrastructure of the VMs, application details, and actions that are carried out on a blueprint until the termination of the application.
Services are the virtual machine instances, existing machines or bare-metal machines, that you can provision and configure by using Calm. A service exposes the IP address and ports on which the request is received. You can either provision a single-service instance or multiple services based on the topology of your application.
For more information about services in Calm, see Services Overview.
You can define and configure the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application for a service provider.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on a Nutanix platform.
vm-@@{calm_array_index}@@-@@{calm_time}@@
. For more
information on Calm macros, see Macros Overview.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on an AWS platform.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on a VMware platform.
Templates allow you to create multiple virtual machines with the same characteristics, such as resources allocated to CPU and memory or the type of virtual hardware. Templates save time and avoid errors when configuring settings and other parameters to create VMs. The VM template retrieves the list options from the configured vCenter.
For more information, refer to VMware KB articles.
A content library stores and manages content (VMs, vApp templates, and other types of files) in the form of library items. A single library item can consist of one file or multiple files. For more information about the vCenter content library, see the VMware Documentation .
To know the supported VMware guest tools versions, see the
VMware Product Interoperability Matrices .
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on a GCP platform.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on an Azure platform.
The Resource Group list displays the resource groups that are associated with the subscriptions you selected in your Azure account. In case you have not selected any subscriptions, Calm considers all the subscriptions that are available in the Azure service principal to display the resource groups. Each resource group in the list also displays the associated subscription.
For Windows VMs, the Store field specifies the certificate store on the virtual machine to which the certificate is added. The specified certificate store is implicitly created in the LocalMachine account.
For Linux VMs, the certificate file is placed under the /var/lib/waagent directory. The format of the file name is <UppercaseThumbprint>.crt for the X509 certificate and <UppercaseThumbpring>.prv for private key. Both of these files are .pem formatted.
The following section describes Azure troubleshooting.
/home/calm/log/styx.log
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on Xi cloud provider.
Xi Infrastructure Service Admininistration
Guide.
Perform the following procedure to configure Kubernetes Deployment, Containers, and Service.
A Pod is the basic execution unit of a Kubernetes application and the smallest and simplest unit in the Kubernetes object model that you create or deploy. A Pod represents processes running on your cluster.
Labels are key/value pairs that are attached to objects, such as pods. You can use Labels to specify identifying attributes of objects that are meaningful and relevant to users, but do not directly imply semantics to the core system. You can also use Labels to organize and to select subsets of objects. You can attach Labels to objects either at the creation time or later. Each object can have a set of key/value labels defined. Each key must be unique for a given object.
NodePort
). A
ClusterIP
Service, to which the
NodePort
Service routes, is automatically created.
You'll be able to contact the
NodePort
Service, from
outside the cluster, by requesting
<NodeIP>:<NodePort>
.
NodePort
and
ClusterIP
Services, to which the external load
balancer routes, are automatically created.
Labels are key/value pairs that are attached to objects, such as pods. You can use Labels to specify identifying attributes of objects that are meaningful and relevant, but do not directly imply semantics to the core system. You can also use Labels to organize and select subsets of objects. You can attach Labels to objects at creation time and add or modify at any time. Each object can have a set of key/value labels defined. Each key must be unique for a given object.
Dependencies are used to define the order in which tasks must get executed. Perform the following procedure to set up the service dependency.
An application profile provides different combinations of the service, package, and VM while configuring a blueprint. You configure application profiles and use them while launching a blueprint.
[
{
"display": "HTML Tutorial",
"url": "https://www.w3schools.com/html/default.asp"
},
{
"display": "CSS Tutorial",
"url": "https://www.w3schools.com/css/default.asp"
},
{
"display": "JavaScript Tutorial",
"url": "https://www.w3schools.com/js/default.asp"
},
{
"display": "jQuery Tutorial",
"url": "https://www.w3schools.com/jquery/default.asp"
},
{
"display": "SQL Tutorial",
"url": "https://www.w3schools.com/sql/default.asp"
},
{
"display": "PHP Tutorial",
"url": "https://www.w3schools.com/php/default.asp"
},
{
"display": "XML Tutorial",
"url": "https://www.w3schools.com/xml/default.asp"
}
]
Then,
during the launch time the list options are ["HTML Tutorial","CSS
Tutorial","JavaScript Tutorial","jQuery Tutorial","SQL Tutorial","PHP
Tutorial","XML Tutorial"].
Blueprint configuration involves adding tasks, actions, snapshot and restore configurations, and VM update configurations.
Perform the following procedure to configure a blueprint.
Credentials are used to authenticate a user to access various services in Calm. Calm supports static and dynamic credentials with key-based and password-based authentication methods.
You configure a check log-in task to check whether you are able to SSH into the VM you create. Perform the following steps to configure check log-in.
You can either select the public IP address or private IP address of a NIC.
Delay timer defines the time period when the check login script is run after the VM starts. It allows you to configure the delay time to allow guest customization script, IP, and all other services to come up before running the check login script.
Tasks are part of your deployment creation process and are run one after the other. The tasks are used to perform a variety of operations such as setting up your environment, installing a set of software on your service, and so on.
You have the following basic types of tasks.
Pre-create tasks are actions that are performed before a service is provisioned in a blueprint. For example, if you want to assign static IP addresses to your VMs by using IPAM service, you can create and run a pre-create task to receive the IP addresses before the service is provisioned. The pre-create task helps to restrict the broadcast traffic to receive the IP addresses for those VMs during the service provision.
Post-delete tasks are actions that are performed after you delete a service in a blueprint. For example, if you want to delete the assigned IP addresses from your VMs, you can add a post-delete task to delete the IP addresses after the service is deleted. The post-delete task helps to restrict the broadcast traffic to delete the IP addresses for those VMs during the service provision.
You can create the Execute task type to run scripts on the VM.
eScripts
, see Supported eScript Modules and Functions.
For sample
Powershell
scripts, see Sample Powershell Script.
You can create a Set Variable task type to change variables in a blueprint.
Escripts
, see Supported eScript Modules and Functions.
For sample
Powershell
scripts, see Sample Powershell Script.
You can create an HTTP task type to query REST calls from a URL. An HTTP task supports GET, PUT, POST, and DELETE methods.
You can create a Delay task type to set a time interval between two tasks or actions.
Pre-create tasks are actions that are performed before a service is provisioned in a blueprint. Post-delete tasks are actions that are performed after you delete a service in a blueprint.
Actions are flows to accomplish a particular task on your application. You can use actions to automate any process such as backup, upgrade, new user creation, or clean-up and enforce an order of operations across services.
You can categorize actions into the following types.
Type | Description |
---|---|
Profile Actions |
Application Profile Actions are a set of operations that you can run on your
application. For example, when you launch a blueprint, the Create action is run. When
you do not need the application for a period of time, you can run the Stop action to
gracefully stop your application. When you are ready to resume your work, you can run
Start action to bring the application back to the running state.
You have the following types of profile actions.
|
Service Actions |
Service Actions are a set of operations that are run on an individual service.
These actions cannot be run directly by the application user but can be run indirectly
using either a profile actions or a package install or uninstall operation.
Services span application profiles. For example, if you create a service action in the AHV profile, the same service action is available in the AWS profile as well. You have the following types of service actions.
|
The following are the most common custom actions that developers add to their blueprints:
Custom Action | Description |
---|---|
Scale In |
The scale-in functionality enables you to decrease the number of replicas of a
service deployment. The number of instances to be removed from a service for each
scale-in action is defined in the blueprint while configuring the task in the
profile level action.
The scale count number must be less than or equals to the minimum number of replicas defined for the service. The VM that is created last is deleted first. For information on how to configure scale in, see Adding and Configuring Scale Out and Scale In. |
Scale Out |
The scale out functionality enables you to increase the number of replicas of a
service deployment. The number of instances to be added to a service for each
scale-out action is defined in the blueprint while configuring the task in the
profile level action.
The scale count number must be less than or equals to the maximum number of replicas defined for the service. For information on how to configure scale out, see Adding and Configuring Scale Out and Scale In. |
For information about how to create an action, see Adding an Action to a Multi-VM Blueprint and Adding an Action to a Single-VM Blueprint.
An action is a set of operations that you can run on your application that are created as a result of running a blueprint.
An action is a set of operations that you can run on your application that are created as a result of running a blueprint.
Perform the following procedure to add and configure the Scale Out and Scale In task.
The snapshot and restore feature allows you to create a snapshot of a virtual machine at a particular point in time and restore from the snapshot to recreate the application VM from that time. You can configure snapshot and restore for both single-VM and multi-VM applications on a Nutanix platform. All you need to do is to add the snapshot/restore configuration to the blueprint. Adding the configuration generates separate profile actions for snapshot and restore to which you can add further tasks and actions.
For VMware, AWS, and Azure platforms, the snapshot and restore feature is available by default only to the single-VM applications.
For more information on blueprint configuration for snapshots, see Configuring Single-VM Blueprints with Nutanix for Snapshots and Configuring Multi-VM Blueprints on Nutanix for Snapshots.
The snapshot/restore action for single-VM applications with Nutanix is no longer available by default. To enable snapshot, you must add a snapshot/restore configuration to the single-VM blueprint. You can configure to create snapshots locally or on a remote cluster. Snapshot and restore is a paired action in a blueprint and are always managed together.
The snapshot/restore configuration generates separate application profile actions for snapshot and restore. These actions also allow you to add more tasks and actions as part of the snapshot and restore configuration. For example, shutting down the application and the VM before creating the snapshot or restarting the VM before a restore. You can access these actions from the Manage tab of the Applications page.
snapshot-@@{calm_array_index}@@-@@{calm_time}@@
.
You can configure the snapshot/restore action in a blueprint on Nutanix account to create snapshots locally or on a remote cluster. Snapshot/restore is a paired action for a particular service in a blueprint and are always managed together.
The snapshot/restore definition of a service generates snapshot configuration and its corresponding restore configuration. You can use these configurations to modify your snapshot and restore setup.
The snapshot/restore configuration generates separate application profile actions for snapshot and restore. These actions allow you to add more tasks and actions as part of the snapshot and restore configuration. For example, shutting down the application and the VM before creating the snapshot or restarting the VM or services before a restore. You can access these actions from the Manage tab of the Applications page to create or restore snapshots.
snapshot-@@{calm_array_index}@@-@@{calm_time}@@
.
The update configuration feature allows you to update virtual machines of running applications on Nutanix to a higher or lower configuration. Using this feature, you can modify VM specifications such as the vCPU, memory, disks, networking, or categories (tags) of a running application with minimal downtime. You no longer have to create new blueprints or approach your IT administrator to modify VM resources.
To update configurations of a running application VM, you need to perform the following actions:
As a blueprint developer, you can add update configurations for a service in the blueprint. These update configurations are at the parallel level of application profile actions and can be executed individually for a particular service. As part of the configuration, you can do the following:
For example, consider a case where the original vCPU value in the blueprint is 4. You then add a change factor to the update configuration to increase the vCPU by 1 with a maximum limit of 5. When this update is launched, you can run the action only once to increase the vCPU to 5. Once the VM is upgraded to 5 vCPU, you cannot add any more vCPUs to the VM.
The update configuration generates the corresponding action where you can add tasks to define how you want to execute the update.
For more information about adding update configuration to a blueprint, see Adding an Update Configuration to Single-VM Blueprints and Adding an Update Configuration to Multi-VM Blueprints.
You can update VM specifications from the Manage tab of applications on Nutanix. For more information, see Update VM Configurations of Running Applications.
As a blueprint developer, you can add an update configuration to a single-VM application blueprint.
The update configuration feature allows you to update the virtual machine of a running single-VM application to a higher or lower configuration. For more information, see Update Configuration for VM.
As a blueprint developer, you can add an update configuration for a service to a multi-VM application blueprint.
The update configuration feature allows you to update virtual machines of running multi-VM applications to a higher or lower configuration. For more information, see Update Configuration for VM.
After you configure a blueprint, you can publish, unpublish, launch, or delete a blueprint.
Publishing a blueprint allows you to make the blueprint available at Marketplace, so that other users can use the published blueprint. Unpublishing a blueprint allows you to remove the blueprint from the Marketplace. For more information, see Submitting a Blueprint for Approval.
Launching a blueprint allows you to deploy your application on the blueprint and start using it.
The blueprint launch page provides the following views:
Blueprints that are launched from the marketplace display only the fields that require inputs from consumers. Displaying only editable fields offers a simpler and easy launching experience for your consumers.
You can switch to View as Developer after you develop your blueprints to verify how you configured different fields and the launching experience the configuration will provide to your consumers.
For more information, see Launching a Blueprint.
After you configure a blueprint, you can submit the blueprint to get an approval from the administrator. The administrator approves the blueprint and then publishes the blueprint at the marketplace for consumption.
You launch a blueprint to deploy an application on the blueprint and start using the application.
If the validation is successful, the application is available under the Application tab.
When you enter the platform data that is invalid for a provider while creating a blueprint, you get a validation error. The following table details the invalid platform data for each provider.
Providers | Invalid Platform Data |
Nutanix | Image, NIC List, and Categories. |
GCP | Machine Type, Disk Type, Network, SubNetwork, Source, Image, Zone, and Blank Disk. |
AWS | Vpc, Security Groups, and Subnets. |
VMware | Network name, NIC Type, NIC settings mismatch, Host, Template, Datastore, Datacenter, Storage Pod, and cluster. |
Azure | Image details (publisher, offer, sku, version), Custom image, Resource group, Availability Set Id, NIC List, Network Security group, Virtual Network Name, and Subnet Name. |
The platform validation error message appears as displayed in the following image.
You can also upload configured blueprints to the Blueprints tab. Perform the following procedure to upload a blueprint.
You can also download a configured blueprint to your local machine and use it later. Perform the following procedure to download a blueprint.
Perform the following procedure to view a blueprint.
You can edit a configured blueprint from the blueprints tab. Perform the following procedure to edit a blueprint.
Perform the following procedure to delete a blueprint.
If you have configured wrong details in your blueprint, you can view the error message while saving or publishing a blueprint. Perform the following procedure to view blueprint error message.
You can recover the deleted application blueprints within a time period of 90 days after you delete an application blueprint. This chapter describes the procedure to recover a deleted blueprint.
The marketplace provides preconfigured application blueprints and runbooks for instant consumption. The marketplace is a common platform for both publishers and consumers.
The marketplace has banners to display featured applications. All listed applications display the icon of the platform that supports the application.
You can filter applications or runbooks based on their category and source. You can also search an application or runbook in the marketplace.
Before provisioning an application, you can view details such as application overview, changes made in different versions, and application-level actions.
You can view application details such as licensing, installed resources, hardware requirements, operating systems, platforms, and limitations before you provision the application. You can also view the changes made in different versions and application-level actions.
Perform the following procedure to filter application blueprints or runbooks in the marketplace.
Perform the following procedure to search an application blueprint or runbook.
You can use the Marketplace tab to launch an application blueprint that is approved and published to the marketplace. The application launch page displays the fields that are editable by the consumer.
Following are the rules for naming convention.
VM configurations in blueprints and environments are associated with accounts. The environment patching depends on the account that you associate with the marketplace blueprint and the environment you configured.
To patch a cloud provider VM that has a specific OS type, Calm finds the corresponding match in the environment. In case there are no matches available, Calm displays a notification.
The following table lists the environment patching behavior for platform-dependent and platform-independent fields:
Fields | Condition | Patching Behavior |
---|---|---|
Platform-Dependent Fields | When different accounts are associated with the blueprint and environment | Values from the environment get preference for patching, irrespective of the values in the blueprint. |
Platform-Dependent Fields | When the blueprint and the environment have the same account | Values from the environment are patched only when the fields do not have any value in the blueprint. |
Platform-Independent Fields | When different accounts are associated with the blueprint and environment | Values from the environment are patched only when the fields do not have any value in the blueprint. |
Platform-Independent Fields | When the blueprint and the environment have the same account | Values from the environment are patched only when the fields do not have any value in the blueprint. |
The following table lists the platform-dependent fields for different platforms.
Platform | Platform-Dependent Fields |
---|---|
Nutanix | Image, Categories, Cluster, and NIC |
AWS | Machine Image, Key, Instance Profile Name, VPC ID, Subnet ID, and Security Group List |
GCP | Machine Type, Zone, Network, Disk Type, Source Image, and Email |
VMware | Host, Template, Datastore, Cluster, Storage Pod, Network Name, NIC Type, Disk Location, Disk ISO Path, Folder, and Tag List |
Azure | Resource Group, Location, Availability Set ID, Resource Group Details, Resource Group Operation, Network Security Group Name, Network Name, Subnet Name, Network Security Group ID, Virtual Network ID, Subnet ID, Publisher, Offer, SKU, Version, Source Image Type, and Source Image ID |
Assume that you have two Nutanix Prism Central accounts PC1 and PC2, and you added these accounts to your project (Project1). You then create two environments in the project with the following VM configuration:
ENV1 | ENV2 |
---|---|
|
|
You then create a blueprint with a Nutanix service under Project1 having the following configuration:
When you publish this blueprint in the marketplace and launch the blueprint with a different environment, the environment patching happens as follows:
Because different accounts are associated with the blueprint and environment, all platform-dependent field values are patched from the environment to the blueprint, irrespective of the values already available in the blueprint. The blueprint is launched with the following configuration.
Because the account is same for both blueprint and environment and all the platform-dependent fields already have values, the patching does not happen. The blueprint is launched with the following configuration.
Assume that you have a Prism Central account PC1 that is associated with two Prism Elements PE1 and PE2, and you add PC1 to your project (Project1).
Assume that the associated Prism Elements have the following networks.
You then create two environments with the following VM configuration:
ENV1 | ENV2 |
---|---|
|
|
You then create a blueprint with a Nutanix service under Project1 having the following configuration:
When you publish this blueprint in the marketplace and launch the blueprint with a different environment, the environment patching happens as follows:
Prism Element accounts are derived from the NIC or subnet. The PE1_Net2 network used in the blueprint associates the blueprint to Prism Element PE1, and the PE2_Net1 network used in ENV2 associates the environment to Prism Element PE2.
Because these two networks are connected to two
different Prism Element
account_uuid
, Calm considers this case as two
different accounts associated with the blueprint and environment. All platform-dependent
field values are, therefore, patched from the environment to the blueprint, irrespective
of the values already available in the blueprint. The blueprint is launched with the
following configuration.
The PE1_Net2 network used in the blueprint and the PE1_Net1 network used in ENV belong to the same Prism Element account.
Because these two networks share the same Prism Element
account_uuid
, Calm considers this case as the same account associated
with both the blueprint and environment. Platform-dependent fields in this case already
have values, and the patching does not happen. The blueprint is launched with the
following configuration.
Patching of credentials happens only when you publish your blueprints in the marketplace without secrets.
For patching, the credentials of the marketplace blueprint are mapped with the environment using the associated provider account and operating system type. The password or the key value of the corresponding environment is then patched to the blueprint. The credential name and the credential username are never patched from the environment.
For example, if the blueprint and the environment have the following configurations:
Blueprint | Environment |
---|---|
|
|
The credentials patching in the blueprint happens as follows:
When Blueprint is Published with Secrets | When Blueprint is Published without Secrets |
---|---|
|
|
The Cluster field is platform dependent. The environment patching logic of a platform-dependent field depends on the account that you associate with the marketplace item and the VM configuration of the environment.
Condition | Patching Behavior |
---|---|
When the cluster reference in the blueprint and in the environment VM configuration is the same. | No patching happens. The cluster reference from the blueprint is used for the launch. |
When the cluster reference in the blueprint and in the environment VM configuration is different. | Patching happens. The cluster value is patched from the environment for the launch. |
When the cluster reference in the blueprint is a macro.
Note:
Cluster reference
can be a macro only when all the subnets are overlay subnets or all the subnets are
macros.
|
No patching happens. The cluster value will remain as a macro.
When the reference is a macro, it is independent of the environment or the account that is being used for launch. |
VLAN subnets are platform dependent. The environment patching logic of VLAN subnets depends on the cluster reference of the blueprint and the cluster reference of the associated environment VM configuration.
Overlay subnets are VPC dependent. The environment patching logic of these subnets depends on the VPC reference in the blueprint and the VPC reference of the associated environment VM configuration.
All subnets in the substrate of a blueprint can either have overlay subnets or VLAN subnets. If subnets are overlay subnets, then all the subnets in the substrate must belong to the same VPC.
Condition | Patching Behavior |
---|---|
When the VLAN subnets in the blueprint and in the environment VM configuration is the same. | No patching happens. VLAN subnets are platform dependent. The VLAN subnet values referred in the blueprint are used. |
When the VLAN subnets in the blueprint and in the environment VM configuration is different. | Patching happens. VLAN subnets are platform dependent. The VLAN subnet values are patched from the environment. |
When the VPC reference of the subnets (overlay subnets) in the blueprint and the environment VM configuration is the same. |
No patching happens. The subnet values of the blueprint are used for the
launch.
Values from the environment is patched only if it is empty in the blueprint or not allowed in the destination environment. |
When the VPC reference of the subnets (overlay subnets) in the blueprint and the environment VM configuration is different. | Patching happens. The subnet values are patched directly from the environment. |
When the network type in the blueprint and the environment VM configuration are different (for example, overlay subnets in the blueprint and VLAN subnets in the environment). | Patching happens. The subnet values are patched directly from the environment. |
When the subnet reference of the any of the NICs in the blueprint is a macro. | Patching follows the usual conditions. However, the macros are never patched. |
You can execute a runbook an approved and published runbook using the Marketplace tab.
You can clone an application blueprint or runbook from the marketplace.
Use Marketplace Manager to manage the list of custom blueprints, ready-to-use marketplace application blueprints, and runbooks. You can approve, reject, launch, publish, unpublish, assign a category, and select projects for a blueprint. You can also approve, reject, publish, unpublish, and execute runbooks.
The Approved tab on the Marketplace Manager page provide you a list of ready-to-use application blueprints and the custom blueprints or runbooks you approved. The Approval Pending tab provides a list of custom blueprints and runbooks that require your approval to be available in the Marketplace for consumption.
When you select a blueprint or runbook from the list on any tab, the inspector panel displays the operations you can perform on the selected blueprint or runbook. The inspector panel also displays a brief overview of the blueprint or runbook and allows you to assign projects to blueprint or runbook.
You can perform the following actions on blueprints or runbooks.
Marketplace version enables you to define the initial version number of the blueprint or runbook that is getting published to the marketplace. Marketplace version also enables you to revise the version of a blueprint or runbook that is already published to the marketplace. For information about how to define marketplace version, see Submitting a Blueprint for Approval or Submitting a Runbook for Publishing.
You can approve custom blueprints or runbooks that are submitted for approval on the Approval Pending tab. You can also publish the approved blueprints or runbooks to the marketplace after associating them with a project on the Approved tab.
The Approved tab also displays the ready-to-use application blueprints that are available after enabling the Nutanix Marketplace Apps toggle button on the Settings page. These application blueprints do not require approval and can be published directly to the marketplace after associating them with a project. For more information about enabling the ready-to-use applications, see Enabling Nutanix Marketplace Applications.
You can unpublish a blueprint or runbook if you do not want to list it in the Marketplace. You can publish the blueprint or runbook again if required.
You can delete a blueprint or runbook that is not published in the marketplace. If you want to delete a published blueprint or runbook, you first have to unpublish it and then delete it.
You create applications in Calm by creating and launching blueprints.
The Applications page displays the list of all published applications under the Applications tab and the list of brownfield applications under the Brownfield Applications tab.
The Applications page provides the following details about an application.
You have the following application-level actions.
You cannot perform the Create action after the blueprint is launched and the application is created. You can perform all other application-level actions according to the application state.
You can also perform advanced application actions such as creating or restoring snapshots, updating VM configuration, or cloning an application. See the Advanced Application Actions chapter in this guide for details.
The applications page displays the state of the application based on the actions you perform on the Manage tab.
Application State | Description |
---|---|
Provisioning | When you start an application. |
Running | When the application is deployed and running after the provisioning state. |
Stopping | When you have initiated an operation to stop the application. |
Stopped | When the application is stopped. |
Restarting | When you have initiated an operation to restart the application after the application is stopped. |
Deleting | When you have initiated an operation to delete the application. |
Deleted | When the application is deleted. |
Busy | When you have installed the NGT services on the VMs of an application. |
Updating | When you are editing an application. |
Error | When the application goes to error state due to any action you have performed in the Manage tab. |
Failover-in-progress | When you have initiated a failover operation on Prism Central for the protected VMs of an application. |
Failover-failed |
When the failover operation for the VMs has failed. The failure state mainly
occurs in the following conditions.
|
You can click an application name to get details about the application as shown in the following figure.
The application page consists of the following tabs.
The Overview tab consists of the following panels.
Panel | Description |
---|---|
Application Description | Displays the application description. |
Variables | Displays the variable list used to create the blueprint. You can click the copy icon next to the variable to copy the variable. |
Cost Summary |
Displays the total cost, current cost for each hour, and the cost incurred in a
month for the resources that are running in the blueprint. The cost summary panel also
displays a graphical representation of the incurred cost.
Note:
The
Cost
Summary
panel is applicable for Nutanix and VMware
providers.
|
App Summary |
Displays the following application details.
|
App Status |
Displays the summary of virtual machines (VMs). The panel displays the number of
VMs that are in the following state.
|
VM info |
Displays the following VM details of the application.
|
The Manage tab lists the system-generated and user-created actions that you can perform on the application. When you click any of the listed actions, the editor displays the action dependencies.
You can perform the following system-generated actions on an application.
Nutanix guest tools (NGT) is a software bundle that you can install in a guest virtual machine (Microsoft Windows or Linux) to enable the advanced functionalities provided by Nutanix. For more information on NGT, see the Nutanix Guest Tool section in the Prism Web Console Guide .
The inspector panel also displays the action you perform on an application. To view the detailed course of the action, click Action .
The Metrics tab allows you to view performance metrics of the VM. The Metrics tab displays a section on the left with a list of metrics.
The following table describes the available metrics.
Metric | Description |
---|---|
CPU usage | Displays the percentage of CPU capacity currently the VM is using (0–100%). |
CPU ready Time | Displays the current, high, and low percentage of CPU ready time (0–100%). |
Memory usage | Displays the percentage of memory capacity currently the VM is using (0–100%). |
I/O Bandwidth | Displays separate graphs for total, write (only), and read (only) I/O bandwidth used per second (Mbps or KBps) for physical disk requests by the VM. |
I/O Latency | Displays separate graphs for total, write, and read average I/O latency (in milliseconds) for physical disk requests by the VM. |
IOPS | Displays separate graphs for total, write, and read I/O operations per second (IOPS) for the VM. |
Usage | Displays separate graphs for current, snapshot, and shared storage usage (in GiBs) by the VM. |
Working set size | Displays separate graphs for total, write, and read storage usage (in GiBs) for the VM working set size. |
Network packets dropped | Displays separate graphs for the number of transmitted and received packets dropped. |
Network bytes | Displays separate graphs for the amount of transmitted and received bytes (in GiBs). |
The Recovery Points tab allows you to view the captured snapshots, restore applications from snapshots, and delete the snapshots for an application.
The Recovery Points tab applies only to single VM blueprints running with Nutanix as the provider.
To create snapshots of the single-VM or multi-VM applications that are running on Nutanix platform, use the snapshot action on the Manage tab of the application.
Fields | Description |
---|---|
Name | Displays the name of the snapshots. |
Creation Time | Displays the date and time of the snapshot creation. |
Location | Displays the location where the snapshot was taken. |
Expiration Time | Displays the expiration time of the snapshot. |
Recovery Point Type | Displays whether the snapshot type is application-consistent or crash-consistent. |
The Snapshot tab allows you to view the captured snapshots, restore applications from snapshots, and delete the snapshots for an application. Use this tab to create snapshots of single-VM applications that are running on VMware or Azure.
Fields | Description |
---|---|
ID | Displays the ID of the snapshots. Snapshot IDs are unique and automatically generated when you take a snapshot. |
Name | Displays the name of the snapshot. |
Description | Displays the description of the snapshot. |
Parent | Displays the parent blueprint application from which the snapshot is taken. |
Creation Time | Displays the date and time when the snapshot is taken. |
The AMIs tab allows you to view the captured snapshots, restore applications from snapshots, and delete the snapshots for an application.
Fields | Description |
---|---|
ID | Displays the ID of the snapshots. Snapshot IDs are unique and automatically generated when you take a snapshot. |
Name | Displays the name of the snapshot. |
Description | Displays the description of the snapshot. |
Creation Time | Displays the date and time when the snapshot is taken. |
Perform the following procedure to run shell commands on a web SSH console for a service.
The Audit tab lists the action or actions that are performed on an application as displayed in the following figure. To view the detailed course of the action, click action.
Brownfield applications are created to manage existing VMs that are currently not managed by Calm. To create a brownfield application, Calm must communicate with the VMs that are not managed by Calm. After the application is created, the application runs like any other Calm application.
The following are the key points you must consider before you create a brownfield application.
In Calm, the update configuration is stored as a single element per service and applicable from the first VM instance. When you select multiple VMs with different configurations in a service and update the configuration, the update configuration applies to the first VM instance. The same configuration is then followed for all the remaining VM instances.
Let’s say you selected VM1 and VM2 for the service with a RAM of 4 GB and 8 GB respectively. If you define the update configuration to increase the RAM by 1 GB and run the action, the update applies to VM1 to increase the RAM to 5 GB. The same configuration is then followed for VM2 to change the RAM from 8 GB to 5 GB causing undesirable results in both the update configuration and quota utilization checks.
For information on how to create a brownfield application, see Creating Brownfield Application.
Brownfield applications are created to manage existing VMs that are currently not managed by Calm. Perform the following procedure to create brownfield application.
You must launch the configured brownfield applications to be managed by Calm.
Nutanix Guest Tools (NGT) is a software bundle that you can install in a guest
virtual machine (Microsoft Windows or Linux) to enable the advanced functionality provided
by Nutanix. For more information about NGT, see the
Prism Central
Guide
. Perform the following procedure to install NGT services on your
VM. NGT services are only applicable for AHV clusters.
After you install NGT service on a VM, you can either enable or disable VSS and SSR
services by using the
Manage NGT Apps
play button. To know more VSS
and SSR services, see the
Nutanix Guest Tools
section in the
Prism Web Console Guide
.
If you do not want to recover application details after the host VM becomes unavailable, uninstall the NGT application. Perform the following procedure to uninstall NGT services for your application.
A snapshot preserves the state and data of an application virtual machine at a specific point in time. You can create a snapshot of a virtual machine at a particular point in time and restore from the snapshot to recreate the application from that time.
On a Nutanix platform, you can use the snapshot and restore feature in both single-VM and multi-VM applications. On VMware, AWS, and Azure platforms, you can use the snapshot and restore feature only in a single-VM application.
While the snapshot and restore feature is available by default for VMware, AWS, and Azure platforms, you need to add the snapshot/restore configuration to the single-VM or multi-VM blueprint on Nutanix. Adding the configuration to the blueprint generates separate profile actions for snapshot and restore. For more information, see Configuring Single-VM Blueprints with Nutanix for Snapshots and Configuring Multi-VM Blueprints on Nutanix for Snapshots.
Snapshot and restore of an application VM that runs on a Nutanix platform involves the following configurations and actions:
As a project admin, you define snapshot policies in a project. Snapshot policies help you define rules for taking snapshots of application VM. The policy determines the overall intent of the snapshot creation process and the duration of managing those snapshots. You can configure your snapshot policy to manage your snapshots on a local cluster, on a remote cluster, or both.
Remote snapshots are particularly useful when your Prism Central has a computer-intensive cluster managing workloads and a storage-intensive cluster managing your data, snapshots, and so on.
For more information about creating a snapshot policy, see Creating a Snapshot Policy.
You define snapshot and restore configuration for each service in a blueprint. You can configure the service to create snapshots locally or on a remote cluster. In case your multi-VM blueprint has multiple replicas of the service, you can configure the action to take snapshot only for the first replica or the entire replica set.
The snapshot/restore definition of a service generates the snapshot configuration and its corresponding restore configuration. You can use these configurations to modify your snapshot and restore setup. The snapshot/restore definition also generates application profile actions that you can use to create or restore snapshots. You can add more tasks and actions as part of your snapshot and restore to define actions you might want to take on your services. For example, shutting down the application and the VM before taking the snapshot or restarting the VM or services before a restore.
For more information on snapshot and restore configuration, see Blueprint Configuration for Snapshots and Restore.
You associate a policy defined in a project when you launch the application. Depending on the snapshot configuration that you provide in the blueprint, you can select the policy and the cluster in which the snapshot will be stored.
If you defined remote snapshot in the blueprint, then you can view all the policies that allow you to take a remote snapshot. You can select a policy and the corresponding clusters before you launch the application.
For more information, see Launching a Blueprint.
Like other profile actions, the profile actions for snapshot and restore appear on the Manage tab of an application. The snapshots created are listed under the Recovery Points tab of the application. When you create multiple snapshots as part of one action, they appear as a snapshot group. You can expand the group to view the snapshots, their corresponding services, and location. For more information, see Creating Snapshots on a Nutanix Platform.
Restore follows the same configuration that the snapshot has. To restore, you specify the variables and select applicable recovery points depending on the VM. For more information, see Restoring VM Details from Snapshots on a Nutanix Platform.
Perform the following procedure to create application-consistent or crash-consistent snapshots. Application-consistent or crash-consistent snapshots are used to capture and recover all of the VM and application level details. Application-consistent snapshots can also capture all data stored in the memory and transactions in process.
snapshot-@@{calm_array_index}@@-@@{calm_time}@@
.
Nutanix Guest
Tools
section in the
Prism Web
Console Guide
.
You can restore the VM details of an application after the host VM becomes unavailable. Perform the following procedure to restore an application from the snapshots.
A snapshot preserves the state and data of a virtual machine at a specific point in
time. You can create a snapshot of a virtual machine at any time and revert to that snapshot
to recreate the application from that time. For more information, see the
VMware Documentation
. Perform the following procedure
to create a snapshot.
You can restore the VM details of an application after the host VM becomes unavailable. Perform the following procedure to restore an application VM details from a snapshot.
You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved. For more information, see AWS Documentation . Perform the following procedure to create a snapshot on a AWS platform.
You can restore the VM details of an application after the host VM becomes unavailable. Perform the following procedure to restore an application VM details from a snapshot. Ensure that you have captured the snapshots for the application VM.
Creating a snapshot of an application virtual machine on the Azure platform creates a point-in-time copy of your operating system and data disks associated with the VM. The snapshots you create can then be used to create a new VM with the same configurations as the source application VM.
You can restore the VM details of an application after the host VM becomes unavailable. The VM snapshot that you create on an Azure platform consists of the snapshot of operating system and data disks. When you restore the VM details, a new VM is created using the snapshots of the disks.
Perform the following procedure to delete the snapshots created for the VM under an application.
The update configuration feature allows you to update the virtual machine of a running application to a higher or lower configuration. Using this feature, you can modify VM specifications such as the vCPU, memory, disks, networking, or categories (tags) of a running production application with minimal downtime.
The process to update VM configuration of a running application on Nutanix is different from other providers.
To update configurations of a running single-VM or multi-VM applications on Nutanix, you need to perform the following steps:
For more information, see Update Configuration for VM.
You can update VM specifications from the Manage tab of the application. While launching the update, you can define the variables, verify the updates defined for the service by looking at the original value and updated value. You can also modify the values if the component is editable. You can also check the cost difference at the top of the page before applying the changes. For more information, see Updating the VM Configuration of an Application on Nutanix.
The option to update VM configuration of a running single-VM application on VMware, AWS, or Azure is available by default on the Overview tab of the application. The attributes that you can update depends on the provider account you selected for the application.
You can run the update configuration to modify the VM specifications, such as the vCPU, memory, disks, networking, or categories of a single-VM or multi-VM application.
You can click the delete icon to remove the existing disk.
You can click the delete icon to remove any new disk if your blueprint developer has enabled it in the application blueprint.
You can run the update configuration to modify parameters, such as VM configurations, controllers, disks, and network adapters of a single-VM application running on a VMware platform.
You can run the update configuration to modify parameters, such as instance type, IAM role, security groups, tags, and storage of a single-VM application running on an AWS platform.
You can run the update configuration to modify parameters, such as VM configurations, controllers, disks, or network adapters of a single-VM application running on an AWS platform.
You can add or update the credential, custom actions, post delete tasks, or package uninstall tasks from the Overview tab of a single-VM application.
An image is a template for creating new instance or VM. Calm allows you to create images from an existing single-VM or multi-VM application running on a Nutanix platform. Perform the following procedure to create an image from an existing application.
Perform the following procedure to clone an application. The cloned application has the same VM configuration as the source application from which it is cloned.
You can delete the unwanted applications from the Applications tab.
You can define and create custom or user-level actions while configuring a blueprint. Perform the following procedure to run the user-level actions.
System-level actions are pre-defined actions that you can run on an application. Perform the following procedure to execute the system-level actions.
Scheduler allows you to schedule application action and runbook executions. You can schedule recurring jobs and one-time jobs for critical operations throughout the application life cycle.
You can schedule any user-defined application actions, create or restore application snapshots (only AHV), or any pre-defined system actions such as Start, Stop, Restart, Delete, and Soft Delete. For example, you can schedule a Stop action and a Start action on a single-VM Calm application to run at a particular date and time.
Scheduler supports two types of entities.
Scheduler jobs have a role ownership. A user can modify the job that you created if the user has access to the entity and Allow Collaboration is enabled in the associated project. For example, if you create a scheduler job for an application action as a developer, a consumer that has access to the same application can modify the job. If Allow Collaboration is disabled in the project, then only the creator of the scheduler job can modify the job. For information on the role required to schedule application action and runbook execution, see Role-Based Access Control in Calm.
Create a scheduler job to perform an application action or runbook execution.
You can view or update a scheduler job on the Scheduler tab of the Policies page.
Scheduler jobs have a role ownership. You can update a job that a different user has created only when you have access to the entity and collaboration is allowed in the associated project.
You can also click View Logs for any executed job to go to the Audit tab and view the logs.
You can delete a scheduler job on the Scheduler tab of the Policies page.
An approval policy adds a level of governance to determine which application deployment requests or actions require approvals before they are initiated. You can use approval policies to manage your infrastructure resources, their associated costs, and compliance more effectively.
For example, consider a marketplace item that consumes a significant part of your available resources. You can use an approval policy to enable your IT administrator to review all deployment requests for that marketplace item and ensure that all requests are justified.
You can also use approval policies to enable a project administrator to review all the changes that are done as part of orchestration to a critical application instance.
As a Prism Central Admin or Project Admin, you can create approval policies for runbook executions, application launch, and application day-2 operations (system-defined or user-defined actions).
Each approval policy is a defined set of conditions that you apply to specific entities in Calm. An approval request is generated when an associated event meets all the conditions defined in the policy.
You can configure approval policies for specific events with different set of conditions. For example, to configure an approval policy for a marketplace item, you can use the following values:
The following table lists the different conditions that you can define for different events in approval policies. To search for a provider-specific attribute, type the provider name in the Attribute field.
Entity Type and Action | Provider | Attribute | Operator |
---|---|---|---|
Entity Type: Runbook Action: Execute |
All | Runbook Name | Equals, Contains, Like |
Task Name | Equals, Contains, Like | ||
Endpoint Name | Equals, Contains, Like | ||
Entity Type: Application Action: Launch |
All | Substrate Type | Equals, Contains, Like |
Blueprint Name | Equals, Contains, Like | ||
Application Name | Equals, Contains, Like | ||
Application Profile Name | Equals, Contains, Like | ||
Estimated Application Profile Cost | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
Account Name | Equals, Contains, Like | ||
VM Name | Equals, Contains, Like | ||
Service Name | Equals, Contains, Like | ||
App Replicas Count | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
OS Type | Equals, Contains, Like | ||
Azure Specific Attributes | Azure Tag | Equals, Contains, Like | |
Azure Location | Equals, Contains, Like | ||
Azure Instance Name | Equals, Contains, Like | ||
Azure Resource Group | Equals, Contains, Like | ||
Azure Availability Zone | Equals, Contains, Like | ||
Azure Availability Set | Equals, Contains, Like | ||
Azure Hardware Profile | Equals, Contains, Like | ||
Azure Data Disk Name | Equals, Contains, Like | ||
Azure Data Disk Type | Equals, Contains, Like | ||
Azure Data Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
Azure Network Profile Subnet | Equals, Contains, Like | ||
Azure Network Profile NIC Name | Equals, Contains, Like | ||
Azure Network Profile Virtual Network | Equals, Contains, Like | ||
Azure Network Profile Network Security Group | Equals, Contains, Like | ||
VMware Specific Attributes | VMware Instance Name | Equals, Contains, Like | |
VMware Datastore Cluster | Equals, Contains, Like | ||
VMware Datastore | Equals, Contains, Like | ||
VMware Cluster | Equals, Contains, Like | ||
VMware Host | Equals, Contains, Like | ||
VMware Sockets | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
VMware Cores Per Socket | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
VMware Memory | Equals, Contains, Like | ||
VMware Adapter Type | Equals, Contains, Like | ||
VMware Network | Equals, Contains, Like | ||
VMware Disk Type | Equals, Contains, Like | ||
VMware Tag | Equals, Contains, Like | ||
VMware Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
VMware Template Name | Equals, Contains, Like | ||
AHV Specific Attributes | AHV vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | |
AHV Cores Per vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Memory | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Category | Equals, Contains, Like | ||
AHV VPC Name | Equals, Contains, Like | ||
AHV vLAN Name | Equals, Contains, Like | ||
AHV Disk Type | Equals, Contains, Like | ||
AHV Disk Image Name | Equals, Contains, Like | ||
AHV Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Boot Configuration Type | Equals, Contains, Like | ||
AWS Specific Attributes | AWS Instance Type | Equals, Contains, Like | |
AWS Region | Equals, Contains, Like | ||
AWS Tag | Equals, Contains, Like | ||
AWS Root Volume Type | Equals, Contains, Like | ||
AWS Data Volume Type | Equals, Contains, Like | ||
AWS Root Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AWS Data Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AWS IAM Role | Equals, Contains, Like | ||
AWS VPC ID | Equals, Contains, Like | ||
AWS Security Group ID | Equals, Contains, Like | ||
AWS Subnet ID | Equals, Contains, Like | ||
AWS Machine Image ID | Equals, Contains, Like | ||
GCP Specific Attributes | GCP Instance Name | Equals, Contains, Like | |
GCP Machine Type | Equals, Contains, Like | ||
GCP Zone | Equals, Contains, Like | ||
GCP Boot Disk Storage Type | Equals, Contains, Like | ||
GCP Boot Disk Source Image | Equals, Contains, Like | ||
GCP Labels | Equals, Contains, Like | ||
Entity Type: Application Action: Day 2 Operation |
All | Application Name | Equals, Contains, Like |
Application Profile Cost | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
App Replicas Count | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
Action Name | Equals, Contains, Like | ||
AHV Specific Attributes (for Update Config Only) | AHV vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | |
AHV Cores Per vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Memory | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Category | Equals, Contains, Like | ||
AHV vLAN Name | Equals, Contains, Like | ||
AHV VPC Name | Equals, Contains, Like | ||
AHV Device Type | Equals, Contains, Like | ||
AHV Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV (for Snapshots) | AHV Snapshot Location | Equals, Contains, Like | |
AHV Snapshot Replica | Equals, Contains, Like | ||
AHV Snapshot Name | Equals, Contains, Like |
Day 2 operations are combination of multiple actions. Ensure that you use the supported attributes for different day 2 operations to enforce the policy appropriately. For example, when you configure a policy with scale in or scale out task, the supported attributes can be App Replicas Count and Application Profile Cost.
The following table provides the day 2 operation with the supported attributes.
Day 2 Operation | Supported Attributes |
---|---|
AHV Update Config | Estimated Application Profile Cost, AHV vCPU, AHV Cores Per vCPU, AHV Memory, AHV Category, AHV VPC Name, AHV vLAN Name, AHV Disk Size, and AHV Device Type |
Scale-in or Scale-out task | App Replicas Count and Application Profile Cost |
AHV Snapshot Config | AHV Snapshot Name, AHV Snapshot Replica, and AHV Snapshot Location |
Supported Attributes for All Day 2 Operations | Application Name and Action Name |
For system actions, you must specify the name in the action_<system action> format. The following table lists the system action names supported for approval policies.
System Action | Names |
---|---|
Start | action_start |
Restart | action_restart |
Stop | action_stop |
Delete | action_delete |
Soft Delete | action_soft_delete |
Snapshot Create | action_snapshot_create |
Restore | action_restore |
Update | action_update |
To quickly create a new policy, you can clone an existing policy and edit its basic information, conditions, and approvers.
You cannot clone an approval policy that is in the Draft state.
You can enable a policy to enforce the policy on an event that matches the entity, action, and conditions of the policy or disable the policy to skip policy enforcement.
As a Prism Central Administrator or Project Administrator, you can delete an approval policy if the policy is no longer required for the event.
After you have created a policy, you can view the details of the policy on the policy details page.
An an approver, you can view a list of all pending approval policies on the Approval Requests tab and can either approve or reject the request with a reason.
When you approve a request, the event moves to the next task. When you reject a request, the requester is notified about the rejection of the request. If you are the requester, you can view your pending requests and the status of your reviewed request on the My Requests tab.
Library allows you to save user-defined tasks (scripts) and variables that you can use persistently for other application blueprints. You do not have to define the same tasks and variables for each blueprint.
You can also share tasks and variables listed as part of library across different projects. You can also customise an existing task or variable.
The Library tab lists all the published user-defined tasks and the created variable types to be used across multiple blueprints.
You create custom variable types for added flexibility and utility. Beyond just string and integer data types, you can create more data types such as Date/Time, list, and multi-line string. You can define list values as a static list of values or can attach a script (eScript or HTTP task) to retrieve the values dynamically at runtime.
While creating a custom variable type, you associate a project to the variable type. You can also share the variable type with multiple other projects using the "Share" option on the same page.
Create variable types so that you can use the variables during blueprint creation. You can also share the created variable types across multiple projects.
You can create tasks while configuring a blueprint and publish these tasks to the library. Calm allows you to import these published tasks while configuring other blueprints across multiple projects.
To refer to the video about task library, click here.
Add tasks to a project so that you can use the tasks while configuring blueprints for the selected project.
Delete unwanted tasks from the Library. The deleted tasks can no longer be used in any project while configuring a blueprint.
A runbook is a framework to automate routine tasks and procedures that pan across multiple applications without the involvement of a blueprint or an application.
A runbook is a collection of tasks that you can define to run sequentially at different endpoints. For more information about endpoints, see Endpoints Overview.
You can define the following types of tasks in a runbook.
Task | Description |
---|---|
Execute | To run Shell, PowerShell, and eScript (custom python) scripts. |
Set Variable | To run a script and create variables. |
Delay | To set a delay interval between two tasks or actions. |
HTTP | To perform REST calls to an HTTP endpoint. |
While Loop | To iterate over multiple tasks until the defined condition is met. |
Decision | To define different flows or paths based on the exit condition. |
VM Power On | To power on the VMs that are present in the VM endpoint type. |
VM Power Off | To power off the VMs present in the VM endpoint type. |
VM Restart | To restart the VMs present in the VM endpoint type. |
For more information about creating a runbook, see Creating a Runbook.
To share an active runbook across different projects, you can submit the runbook to be published as a Marketplace item. When the runbook is available at the marketplace, members from different projects to which the runbook is assigned can view and execute it.
When you submit a runbook for publishing, your administrator approves and publishes the runbook at the Marketplace. While publishing, your administrator selects the projects that can view and execute the runbook. You can publish runbooks with or without endpoints and with or without secret values (credential passwords or keys and secret variables). For more information, see Submitting a Runbook for Publishing.
You can select endpoints with virtual machines as the target type to execute power operation tasks such as power off, power on, or restart. Executing these tasks on Virtual machines is particularly helpful in cases where you need to run a set of scripts on multiple VMs and then restart the VMs. For example, when you want to upgrade a software on your VMs. For more information about creating an endpoint, see Creating an Endpoint.
You cannot modify the runbook after it is published. You can either execute the runbook or clone the runbook within your project from the marketplace.
A runbook is a collection of tasks that you can define to run sequentially at different endpoints.
Calm uses the default endpoint only when you do not configure any endpoint at the task level.
The task is further subdivided into True and False condition. You must repeat the steps to add the tasks and configure the task type.
Create a runbook with the Execute task to run Shell, PowerShell, and eScript (custom python) scripts. Create a runbook with the Set Variable task to run a script and create variables.
Create a runbook with the Delay task to set a delay interval between two tasks or actions.
Create a runbook with the HTTP task to perform REST calls to an HTTP endpoint.
Create a runbook with the While Loop task to iterate over multiple tasks until the defined condition is met.
Submit a runbook for publishing so that your admin can approve and publish it at the marketplace. Members from the associated projects can view and execute the runbooks that are published at the marketplace.
You can execute a runbook to run the tasks sequentially on an endpoint.
Perform the following procedure to delete a runbook.
Endpoints are the target resources where the tasks defined in a runbook or blueprint are run.
The endpoints are collection of IP addresses or VMs. The collection of VMs can be a static selection or can be dynamic with filter rules applied.
You have the following types of endpoints.
To know how to create an endpoint, see Creating an Endpoint.
For Windows or Linux endpoint type, you can select virtual machines as the target type. Selecting VMs as target type is useful in cases where you run a set of scripts on multiple VMs and then restart the VMs. For example, you can select VMs as target type to upgrade a software on your VMs.
After you select VMs as the target type, you must select the provider account to list all the associated VMs. You can filter the list of VMs. You can either select the VMs manually or enable the option to automatically select the filtered VMs for your endpoint.
Create an endpoint to run the tasks that you define in a runbook or blueprint.
Perform the following procedure to delete a endpoint.
You can take a backup of the Calm data to a specified location on your machine and restore the data to a new Prism Central. You back up the following data:
You can take a backup of the entire Calm data to a specified location on your machine.
To know how to back up Calm data on an IAMV2-enabled setup, see Backing up Calm Data in an IAMV2-Enabled Setup.
docker exec -it nucalm bash
calmdata
binary is available in the
/home/calm/bin
folder.
# cd /home/calm/bin
# ./calmdata backup --dump-folder <folder>
calmdata
tar file dump.
docker cp <nucalm_container_id>:<backup_tar_file_path> <PC_path_to_copy>
docker cp f4af4798e47d:/backup/3.5.2_backup.tar /home/nutanix/local_backup/
scp
command to copy the calmdata backup tar file from
the Prism Central file system to the new Prism Central.
docker cp <back_up_tar_file_path> <nucalm_container_id>:<restore_path_dump_folder>
You can take a backup of the entire Calm data to a specified location on your machine.
docker exec -it nucalm bash
calmdata
binary is available in the
/home/calm/bin
folder.
# cd /home/calm/bin
# ./calmdata backup --dump-folder <folder>
calmdata
tar file dump.
sudo kubectl -s 0.0.0.0:8070 -n ntnx-base get pods
cd ~/cluster/bin/
vi backup_iam.sh
backup_iam.sh
file.
sh backup_iam.sh
/usr/local/nutanix/iam-backup
.
docker cp <nucalm_container_id>:<backup_tar_file_path> <PC_path_to_copy>
docker cp f4af4798e47d:/backup/3.5.2_backup.tar /home/nutanix/local_backup/
scp
command to copy the calmdata backup tar file from
the Prism Central file system to the new Prism Central.
scp
command to copy the IAM backup zipped file from
the Prism Central file system to the following location on the new Prism
Central.
/usr/local/nutanix/iam-backup
docker cp <back_up_tar_file_path> <nucalm_container_id>:<restore_path_dump_folder>
You can restore the Calm data to a new Prism Central using a backup you took earlier.
For more information about backing up the Calm data, see Backing up Calm Data.
# ./calmdata restore --dump-folder <folder>
docker exec -ti nucalm bash
activate;
code ;
python scripts/update_policy_vm_host_data.pyc
sudo systemctl stop policy-container
sudo systemctl stop policy-epsilon-container
sudo systemctl stop chronos-container
docker rm -f policy
docker rm -f policy-epsilon
docker rm -f chronos
sudo systemctl start policy-container
sudo systemctl start policy-epsilon-container
sudo systemctl start chronos-container
cd ~/cluster/bin/
vi restore_iam_from_file.sh
restore_iam_from_file.sh
file.
sh restore_iam_from_file.sh
Use the following flag options for your Calm data backup:
Options | Description |
---|---|
dump-folder |
The folder where you want to place the backup data. The default folder is located
at
/tmp/default
.
Note:
Create this folder before taking the
backup. When you restore, the restore binary must be present at this
location.
Example:
|
max-threads |
The maximum number of threads to use to take the backup. The default value is
5.
Example:
|
fetch-limit |
The maximum number of entries to fetch in batches of 100 per call. The default
and the maximum value is 100. Decreasing the value of
fetch-limit
increases the time taken to back up Calm
data.
Example:
|
idf-timeout |
The timeout for IDF (database). Increase the value of IDF timeout if you
encounter backup failure due to timeout. The default value is
60.
Example:
|
backup-deleted-entities |
The flag to include deleted entities in the backup. The backup does not include
deleted entities when the value is False. The default value is
True.
Example:
|
When you enable the policy engine for your Calm instance, Calm creates and deploys a new VM for the policy engine in your Prism Central network. After the policy engine VM deployment, you can anytime create a backup of your policy engine database. You can use the backup to restore the policy engine to the earlier state on your existing policy engine VM or on a new policy engine VM.
You must run the backup and restore commands from your Prism Central instance.
ssh nutanix@<policy_vm_ip>
/home/nutanix/scripts/backup.sh
<policy_vm_ip>
is the IP address of the policy
engine VM.
/home/nutanix/data/backups/
.
scp
command and then to the new policy
engine VM.
ssh nutanix@<policy_vm_ip> /home/nutanix/scripts/restore.sh
–-list
ssh nutanix@<policy_vm_ip> /home/nutanix/scripts/restore.sh
-f=<backup_name>
<policy_vm_ip>
is the IP address of the policy
engine VM and
<backup_name>
is the local backup file
available on the policy engine VM.
Calm task library public repository contains scripts for installing and uninstalling different services. To access the repository, click here.
The following sections provide the sample scripts of Cloud-init and SysPrep to configure the static IP address range for non-managed AHV network.
#cloud-config
cloud_config_modules:
- resolv_conf
- runcmd
write_files:
- path: /etc/sysconfig/network-scripts/ifcfg-eth0
content: |
IPADDR=10.136.103.226
NETMASK=255.255.255.0
GATEWAY=10.136.103.1
BOOTPROTO=none
ONBOOT=yes
DEVICE=eth0
runcmd:
- [ifdown, eth0]
- [ifup, eth0]
manage_resolv_conf: true
resolv_conf:
nameservers: ['8.8.4.4', '8.8.8.8']
searchdomains:
- foo.example.com
- bar.example.com
domain: example.com
options:
rotate: true
timeout: 1
<?xml version="1.0" encoding="UTF-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<ComputerName>Windows2016</ComputerName>
<RegisteredOrganization>Nutanix</RegisteredOrganization>
<RegisteredOwner>Acropolis</RegisteredOwner>
<TimeZone>UTC</TimeZone>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<Identification>
<Credentials>
<Domain>contoso.com</Domain>
<Password>secret</Password>
<Username>Administrator</Username>
</Credentials>
<JoinDomain>contoso.com</JoinDomain>
<UnsecureJoin>false</UnsecureJoin>
</Identification>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-TCPIP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<Interfaces>
<Interface wcm:action="add">
<Identifier>Ethernet</Identifier>
<Ipv4Settings>
<DhcpEnabled>false</DhcpEnabled>
<RouterDiscoveryEnabled>true</RouterDiscoveryEnabled>
<Metric>30</Metric>
</Ipv4Settings>
<UnicastIpAddresses>
<IpAddress wcm:action="add" wcm:keyValue="1">10.0.0.2/24</IpAddress>
</UnicastIpAddresses>
<Routes>
<Route wcm:action="add">
<Identifier>10</Identifier>
<Metric>20</Metric>
<NextHopAddress>10.0.0.1</NextHopAddress>
<Prefix>0.0.0.0/0</Prefix>
</Route>
</Routes>
</Interface>
</Interfaces>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-DNS-Client" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<UseDomainNameDevolution>true</UseDomainNameDevolution>
<DNSDomain>contoso.com</DNSDomain>
<Interfaces>
<Interface wcm:action="add">
<Identifier>Ethernet</Identifier>
<DNSDomain>contoso.com</DNSDomain>
<DNSServerSearchOrder>
<IpAddress wcm:action="add" wcm:keyValue="1">10.0.0.254</IpAddress>
</DNSServerSearchOrder>
<EnableAdapterDomainNameRegistration>true</EnableAdapterDomainNameRegistration>
<DisableDynamicUpdate>true</DisableDynamicUpdate>
</Interface>
</Interfaces>
</component>
<component xmlns="" name="Microsoft-Windows-TerminalServices-LocalSessionManager" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<fDenyTSConnections>false</fDenyTSConnections>
</component>
<component xmlns="" name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<UserAuthentication>0</UserAuthentication>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Networking-MPSSVC-Svc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<FirewallGroups>
<FirewallGroup wcm:action="add" wcm:keyValue="RemoteDesktop">
<Active>true</Active>
<Profile>all</Profile>
<Group>@FirewallAPI.dll,-28752</Group>
</FirewallGroup>
</FirewallGroups>
</component>
</settings>
<settings pass="oobeSystem">
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<UserAccounts>
<AdministratorPassword>
<Value>secret</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
</UserAccounts>
<AutoLogon>
<Password>
<Value>secret</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
<Username>Administrator</Username>
</AutoLogon>
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c netsh firewall add portopening TCP 5985 "Port 5985"</CommandLine>
<Description>Win RM port open</Description>
<Order>1</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
</FirstLogonCommands>
<OOBE>
<HideEULAPage>true</HideEULAPage>
<SkipMachineOOBE>true</SkipMachineOOBE>
</OOBE>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<InputLocale>en-US</InputLocale>
<SystemLocale>en-US</SystemLocale>
<UILanguageFallback>en-us</UILanguageFallback>
<UILanguage>en-US</UILanguage>
<UserLocale>en-US</UserLocale>
</component>
</settings>
</unattend>
Calm supports the following eScript modules.
Module | Module supported as |
---|---|
datetime | _datetime |
re | re |
difflib | difflib |
base64 | base64 |
pprint | pprint |
pformat | pformat |
simplejson | json |
ujson | ujson |
yaml | yaml |
Uuid | uuid |
requests | requests |
boto3 | boto3 |
azure | azure |
kubernetes | kubernetes |
The following example displays the usage of boto3 module.
import boto3
ec2 = boto3.client('ec2', aws_access_key_id='{}', aws_secret_access_key='{}', region_name='us-east-1')
print ec2.describe_regions()
The following example displays the usage of Azure module.
# subscription_id macro contains your Azure Subscription ID
# client_id macro contains your Client ID
# tenant macro contains you Tenant ID
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
credentials = ServicePrincipalCredentials(
client_id=@@{client_id}@@,
secret='secret',
tenant=@@{tenant}@@
)
client = ResourceManagementClient(credentials, @@{subscription_id}@@)
for item in client.resource_groups.list():
print(item)
The following example displays the usage of Kubernetes module.
from kubernetes import client as k8client
aToken="eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJl
cm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWN
jb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNl
YWNjb3VudC9zZWNyZXQubmFtZSI6InNhcmF0aC10b2tlbi1ubWo1cSIsImt1YmVybm
V0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJzYXJhdG
giLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQ
iOiIzODM1Zjk5MC0zZGJhLTExZWEtODgwNy01MDZiOGQzYjFhYjIiLCJzdWIiOiJzeXN0ZW06c2Vyd
mljZWFjY291bnQ6ZGVmYXVsdDpzYXJhdGgifQ.dLJCdlOGktRsXfxDItBdbYxDYJtnFS9pptQaKr
JS1QfWAiT93l_iPExZZ_7JGQ2t7glpe-DNEwfjKiqUkDKmuHZSxN9fV6PHjTc8CGOn1q4LV7
tFFkh4HNi-JjhLPkRRQUM6_y5qQSrx9asDEGVLGsoHjuMLhELi4Ghq1EOgcRxPCTQD6lq_C203Dap
PESdqPl7JsmIVBCkFUT4A8A4sseiOqq9ogX-QKvAwoI7yq97BMJLX7q868cNBRsbFzct1tS-CEx-RCPM95
qAzdLNUOrIszVVgSd7jLxIg_tqUH_yEj4T0cePsbLhrCBPRt6bHFCyg3RkIKRoIN2YBq0wPWw"
configuration=k8client.Configuration()
configuration.host="https://10.46.4.213:6443"
configuration.verify_ssl=False
configuration.debug=True
configuration.api_key={"authorization":"Bearer "+ aToken}
k8client.Configuration.set_default(configuration)
v1=k8client.CoreV1Api()
nodes=v1.list_node(watch=False)
print nodes.items[0].metadata.name
Calm supports the following eScript functions.
The API exposes REST interface as a set of objects. This action is implemented using python requests module.
urlreq(url, verb='GET', auth=None, c=None, user=None, passwd=None, params=None,
headers=None, timeout=None, send_form_encoded_data=True, allow_redirects=True,
cookies=None, verify=True, proxies=None)
requests.Response object is returned.
Arguments | Description |
---|---|
url | string, url to request |
verb |
string, verb is GET by default. POST, HEAD, PUT, PATCH, and DELETE are other valid entries. |
auth |
string (optional), BASIC and DIGEST are the valid entries.
For authentication purposes, the order is as follows.
|
user | string (optional), username used for authentication. |
passwd | string (optional), password used for authentication. |
params | dict (optional), if verb is GET, HEAD or DELETE, parameters are sent in the query string for the request otherwise they are sent in the body of the request. |
headers | dict (optional), Dictionary of HTTP headers needs to be send along with the request. |
timeout | integer (optional), you can configure requests to stop waiting for a response after a given number of seconds with the timeout parameter. timeout only elects the connection process itself, not the downloading of the response body. |
send_form_encoded_data | boolean (optional), = True by default. If False, parameters dict is first dumped using simplejson.dumps() and then passed as a string. |
allow_redirects |
boolean (optional), = True by default. Specifies whether redirects should be allowed or not. |
cookies | dict (optional), cookies dict to be sent along with the request. |
verify | boolean (optional), = True by default. Specifies whether SSL certificates should be verified or not. |
proxies | dict (optional), Dictionary mapping protocol to the URL of the proxy |
Rules for authentication in the order of priority.
If the above two criteria does not match, username and password are authenticated by using the credential attached to the task.
For example
params = {'limit': 1}
headers = {'content-type': 'application/octet-stream'}
r = urlreq(url, verb="GET", auth="BASIC", c='somecred', params=params, headers=headers)
r = urlreq(url, verb="POST", auth="BASIC", user="user", passwd="pass", params=params)
The exit function is an alias for sys.exit of python standard library.
exit(exitcode)
For example
exit(0)
The sleep function is an alias for time.sleep.
sleep(num_of_secs)
For example
sleep(10)
The _construct_random_password API generates a random password and returns it.
_construct_random_password(lower, upper=None, numCaps=0, numLetters=0,
numDigits=0, numPuncs=0, startwith=None, caps=None, letters=None,
digits=None, puncs=None)
Returns: String
Argument | Description |
---|---|
lower | integer, minimum number of characters in the password. |
upper | integer (optional), maximum number of characters in the password. If upper is not defined, then the password returned will always be as per lower, else the length can vary between lower and upper (both included). |
numCaps |
integer (optional), minimum number of capital letters that must be there in password. |
numLetters |
integer (optional), minimum number of letters that must be there in password. |
numDigits | integer (optional), minimum number of digits that must be there in password. |
numPuncs |
integer (optional), minimum number of punctuation alphabets that must be there in password. |
startwith |
string (optional), password returned starts with one of the characters provided in startwith string. |
caps | string (optional), default = 'A-Z'. This can be overridden. |
letters | string (optional), default = 'a-zA-Z'. This can be overridden. |
digits | string (optional), default = '0-9'. This can be overridden. |
puncs | string (optional), default = '!@#$%^&'. This can be overridden. |
The _is_bad_password function checks whether the password is correct or not.
_is_bad_password(password, reserved, dictionary=True, numCaps=0, numPuncs=0, \
numDigits=0, minLen=5)
For example
_is_bad_password("Abcd@123")
The _randomchoose function is used to get a random character from a string.
_randomchoose(string)
For example
_randomchoose("adsadrer")
The _shuffle function is used to shuffle the sequence.
_shuffle(sequence)
For example
_shuffle(a)
The get_sql_handle function enables you to remotely connect and manage SQL Servers. It is implemented by using python pymssql module.
get_sql_handle(server, username, password, database='', timeout=0, login_timeout=60, charset='UTF-8', as_dict=False, host='', appname=None, port='1433', conn_properties=None, autocommit=False, tds_version=None)
Returns pymssql.Connection object
Argument | Description |
---|---|
server (str) | database host |
user (str) | database user to connect as |
password (str) |
user’s password |
database (str) |
The database to initialize the connection with. By default SQL Server selects the database which is set as default for specific user |
timeout (int) | query timeout in seconds, default 0 (no timeout) |
login_timeout (int) | timeout for connection and login in seconds, default is 60 seconds |
charset (str) | character set with which to connect to the database |
For example
username="dbuser"
password="myP@ssworD"
server="10.10.10.10"
port="1433"
cnxn = get_sql_handle(server, username, password, port=port, autocommit=True)
cursor = cnxn.cursor()
# List all databases
cursor.execute("""
SELECT Name from sys.Databases;
""")
for row in cursor:
print row[0]
cnxn.close()
To refer to the video about supported eScripts, click here.
The following script is an EScript sample script.
#script
account_name = "@@{ACCOUNT_NAME}@@"
aviatrix_ip = "@@{address}@@"
new_test_password = "@@{NEW_TEST_PASSWORD}@@"
vpc_name = "Test"
api_url = 'https://{0}/v1/api'.format(aviatrix_ip)
#print api_url
def setconfig(api_url, payload):
r = urlreq(api_url, verb='POST', auth="BASIC", user='admin', passwd='passwd', params=payload, verify=False)
resp = json.loads(r.content)
if resp['return']:
return resp
else:
print "Post request failed", r.content
exit(1)
print "Get the session ID for making API operations"
payload = {'action': 'login', 'username': 'admin', 'password': new_test_password}
api_url1 = api_url + "?action=login&username=admin&password="+ new_aviatrix_password
cid = setconfig(api_url=api_url1, payload=payload)
cid = cid['CID']
print cid
print "Delete the gateway"
payload = {'CID': cid,
'action': 'delete_container',
'account_name': account_name,
'cloud_type': 1,
'gw_name': vpc_name
}
api_url1 = api_url + "?CID="+cid+"&action=delete_container&account_name="+account_name+"&cloud_type=1&gw_name="+vpc_name
print setconfig(api_url=api_url1,payload=payload)
print "Delete the aws account"
payload = {'CID': cid,
'action': 'delete_account_profile',
'account_name': account_name
}
api_url1 = api_url + "?CID="+cid+"&action=delete_account_profile&account_name="+account_name
print setconfig(api_url=api_url1,payload=payload)
The following script is a jwt usage sample script.
#script
jwt = '@@{calm_jwt}@@'
payload = {}
api_url = 'https://localhost:9440/api/nutanix/v3/apps/list'
headers = {'Content-Type': 'application/json', 'Accept':'application/json', 'Authorization': 'Bearer {}'.format(jwt)}
r = urlreq(api_url, verb='POST', params=json.dumps(payload), headers=headers, verify=False)
if r.ok:
resp = json.loads(r.content)
print resp
exit(0)
else:
print "Post request failed", r.content
exit(1)
The following script is a powershell sample script.
Install-PackageProvider -Name NuGet -Force
Install-Module DockerMsftProvider -Force
Install-Package Docker -ProviderName DockerMsftProvider -Force
The following script is a guest customization sample script for the Azure service.
<AutoLogon>
<Password>
<Value>@@{user.secret}@@</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
<Username>@@{user.username}@@</Username>
</AutoLogon>
The following script is a guest customization sample script for the Azure service.
<FirstLogonCommands>
<SynchronousCommand>
<CommandLine>cmd.exe /c powershell -Command get-host</CommandLine>
<Order>1</Order>
</SynchronousCommand>
</FirstLogonCommands>
The following script is a guest customization sample script for the VMware service.
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set winrm/config/service/auth @{Basic="true"}
powershell -Command "enable-psremoting -Force"
powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"
The following script is a guest customization sample script for the GCP service.
#! /bin/bash\napt-get update\napt-get install -y apache2\ncat <<EOF > /var/www/html/index.html\n<html><body><h1>Hello World</h1>\n<p>This page was created from a simple startup script!</p>\n</body></html>\nEOF
Calm blueprints public repository contains custom blueprints and custom scripts that are created and published by community members. Calm also publishes official blueprints and tasks to the github public repository. You can clone the published blueprints and scripts and use from the repository. To access the repository, click here .
The blueprints repository of Calm contains script that can be seeded into task library and published to projects. You can use these tasks for blueprint configuration.
bash generate_task_library_items.sh
export PC_IP=<prism central IP>
export PC_USER=<prism central user>
export PC_PASSWORD=<prism central password>
export PC_PROJECT=<prism central project>
python generate_task_library.py --pc $PC_IP--user $PC_USER --password $PC_PASSWORD --project $PC_PROJECT --script <path of script>
Calm license for Prism Central enables you to manage VMs that are provisioned or managed by Calm. Nutanix provides a free trial period of 60 days to try out Calm.
The Prism web console and Nutanix Support portal provide the most current information about
your licenses. For detailed information about the Calm licensing feature, refer to the
Prism Central Guide
.
Upgrade Calm or Epsilon using the Life Cycle Manager (LCM) from Prism Central. Epsilon is the orchestration engine for Calm. For more information , see Life Cycle Manager.
Use LCM to display the software and firmware versions of the entities in the cluster.
Use LCM to upgrade Calm and Epsilon to the latest available versions.
If you do not select any specific updates, the LCM performs all available updates.
By default, LCM automatically fetches updates from a pre-configured URL. If LCM fails to access the configured URL to fetch updates, you can configure the LCM to fetch updates locally to upgrade Calm and Epsilon.
Perform the following procedure to upgrade Calm and Epsilon at a dark site.
The LCM sidebar now shows the LCM framework with the updated version.
Refer to this section to upgrade Calm to the latest available version after you deploy the Calm VM.
Use the following procedure to upgrade Calm and Epsilon from Calm VM 3.5.1 to 3.5.2.
docker ps
command and check the status of Nucalm and
Epsilon containers.
To upgrade Calm VM using the PC method, do the following:
Check if the compatible PC version is available. If not, go to the Name Servers page and enter the global DNS server as the Name server.
A confirmation window appears.
Click Yes to start the download process. After the download gets completed, you can view the Upgrade list.
During the upgrade process, the Calm VM gets restarted.
Also, you can log in to the Calm VM GUI to view the upgraded version. In the top-left corner, click User Menu > About Nutanix .
You can upgrade to newer versions of Calm without performing a VM upgrade. Upgrades to most minor releases and few major releases are done using the LCM method.
To upgrade Calm VM using the LCM method, do the following:
A confirmation window appears.
Note that the Epsilon check-box also gets selected. Epsilon is the orchestration engine used by Calm.
A confirmation window appears.
By default, Life Cycle Manager (LCM) automatically fetches updates from a pre-configured URL. If LCM fails to access the configured URL to fetch updates, you can configure the LCM to fetch updates locally to upgrade Calm and Epsilon. Perform the following procedure to upgrade Calm and Epsilon at a dark site.
The LCM sidebar now shows the LCM framework with the same version as the LCM dark site bundle you downloaded.
The Credential Security Support Provider (CredSSP) protocol is a security support provider that you implement using the Security Support Provider Interface (SSPI). CredSSP allows an application to delegate credentials of a user from the client to the target server for remote authentication. CredSSP provides an encrypted transport layer security protocol channel. The client is authenticated over the encrypted channel by using the Simple and Protected Negotiate (SPNEGO) protocol with either Microsoft Kerberos or Microsoft NTLM.
For more information, refer to the Microsoft Documentation .
Perform the following procedure to enable CredSSP.
> Enable-WSManCredSSP -Role Server -Force
Perform the following procedure to generate an SSH key pair on a Linux VM.
$ ssh-keygen -t rsa
Perform the following procedure to generate an SSH key pair on Windows.
Integrated Linux based PowerShell gateway is an in-built microservice of Calm that you can use to run Windows PowerShell scripts. You do not have to install any Windows VM separately or install Karan service manually to run the PowerShell scripts in Calm. Perform the following task to run the PowerShell scripts in Calm.
> Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools
> Enable-WSManCredSSP -Role Server -Force
> Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools
You might encounter the following errors when you run the PowerShell scripts using the integrated Linux based PowerShell gateway.
Error | Description |
---|---|
Access denied |
If the VM and the WinRM services are started but the specified credential is wrong. You encounter the error in the following cases.
|
Connection refused |
You encounter the connection refusal error in the following cases.
|
Nutanix localizes the user interface in simplified Chinese and Japanese. All the static
screens are translated to the selected language. You can change the language settings of the
cluster from English (default) to simplified Chinese or Japanese. For information on how to
change the language setting, refer to the
Prism Central
Guide
.
Product Release Date: 2022-09-06
Last updated: 2022-11-22
Calm (also called NCM Self Service) allows you to seamlessly select, provision, and manage your business applications across your infrastructure for both the private and public clouds. Calm provides application automation, lifecycle management, monitoring, and remediation to manage your heterogeneous infrastructure, for example, VMs or bare-metal servers.
Calm supports multiple platforms so that you can use the single self-service and automation interface to manage all your infrastructure. Calm provides an interactive and user-friendly graphical user interface (GUI) to manage your infrastructure.
Calm is a multi-cloud application management framework that offers the following key benefits:
Calm simplifies the setup and management of custom enterprise applications by incorporating all important elements, such as the relevant VMs, configurations, and related binaries into an easy-to-use blueprint. These blueprints make the deployment and lifecycle management of common applications repeatable and help infrastructure teams eliminate extensive and complex routine application management.
Calm unifies the management of all your clouds into a single-pane-of-glass, removing the need to switch between portals. Calm automates the provisioning of multi-cloud architectures, scaling both multi-tiered and distributed applications across different cloud environments, including AWS, GCP, Azure, and VMware (on both Nutanix and non-Nutanix platforms).
Calm empowers different groups in the organization to provision and manage their own applications, giving application owners and developers an attractive alternative to public cloud services. Calm provides powerful, application-centric self-service capabilities with role-based access control. All activities and changes are logged for end-to-end traceability, aiding security teams with key compliance initiatives.
The marketplace offers preconfigured application blueprints that infrastructure teams can instantly consume to provision applications. The marketplace also provides the option to publish sharable runbooks. A runbook is a collection of tasks that are run sequentially at different endpoints. Infrastructure teams can define endpoints and use runbooks to automate routine tasks and procedures that pan across multiple applications without the involvement of a blueprint or an application.
With native integration into Beam, Calm also shows the overall utilization and true cost of public cloud consumption to help you make deployment decisions with confidence.
Combined with Nutanix Karbon or your choice of certified Kubernetes, Calm provides the tools required to modernize applications without losing control of policy. Additionally, Calm natively integrates with Jenkins to empower CI/CD pipelines with automatic infrastructure provisioning or upgrades for all applications.
Calm DSL describes a simpler Python3-based Domain Specific Language (DSL) for writing Calm blueprints. DSL offers all the richness of the Calm user interface along with additional benefits of being human readable and version controllable code that can handle even the most complex application scenario. DSL can be also used to operate Calm from a CLI.
As Calm uses Services, Packages, Substrates, Deployments and Application Profiles as building blocks for a blueprint, these entities can be defined as Python classes. You can specify their attributes as class attributes and define actions on those entities (procedural runbooks) as class methods.
Calm DSL also accepts appropriate native data formats such as YAML and JSON that allow reuse into the larger application lifecycle context of a Calm blueprint.
For technical articles, videos, labs and resources on Calm DSL, see Nutanix Calm DSL on Nutanix.dev.
You must configure the following components before you start using Calm.
Before you enable Calm from Prism Central, ensure that you have met the following prerequisites.
You can go to the Software Product Interoperability page to verify the compatible versions of Calm and Prism Central.
Nutanix certifies the following benchmarks for single-node deployment profiles (non-scale-out) and three-node deployment profiles (scale-out). Each benchmark contains scale numbers across different entities of Calm. Because the scaling properties of these entities often depend on each other, changes to one entity might affect the scale of other entities. For example, if your deployment has smaller number of VMs than the benchmarked number, you can have a higher number of blueprints, projects, runbooks, and so on.
Use these guidelines as a good starting point for your Calm installation. You might have to allocate more resources over time as your infrastructure grows.
The following table shows the Calm benchmarks for a single-node Prism Central profile.
Prism Central size | Prism Central configuration | Number of VMs | Number of single-VM blueprints | Number of single-VM applications | Number of projects | Number of runbooks |
---|---|---|---|---|---|---|
Small (1 node) |
6 vCPUs and 30 GB of memory for each node. |
2000 | 400 | 2000 | 50 | 250 |
Large (1 node) |
10 vCPUs and 52 GB of memory for each node. |
7000 | 1400 | 7000 | 250 | 500 |
The following table shows the Calm benchmarks for a three-node Prism Central profile. If high-availability is preferred, it is recommended to use the scale-out deployment.
Prism Central size | Prism Central configuration | Number of VMs | Number of single-VM blueprints | Number of single-VM applications | Number of projects | Number of runbooks |
---|---|---|---|---|---|---|
Small (3 nodes, scale out) |
6 vCPUs and 30 GB of memory for each node. |
3500 | 700 | 3500 | 100 | 500 |
Large (3 nodes, scale out) |
10 vCPUs and 52 GB of memory for each node. |
12500 | 2500 | 12500 | 500 | 1000 |
The following considerations are applicable for both Calm single-node and three-node (scale-out) profiles:
The maximum throughput on a large three-node (scale-out) deployment profile is 400 VMs per hour.
For a list of required Calm ports, see Port Reference. The Port Reference section provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.
Calm is integrated into Prism Central and does not require you to deploy any additional VMs. To start using Calm, you only have to enable Calm from Prism Central.
If the Prism web console is not registered from a Prism Central and the application blueprints have subnet, image, or VMs on the Prism web console, the Calm functionality is impacted.
Prism Central Guide
.
You can check the version of your Calm instance from the Calm user interface.
Calm VM is a standalone VM that you can deploy on AHV and ESXi hypervisors and leverage calm functionality without the Nutanix infrastructure.
You can deploy Calm using the image at the Nutanix Support Portal - Downloads page and manage your applications across a variety of cloud platforms. Calm VM deployment eliminates the need of the complete Nutanix infrastructure to use Calm features.
For information on Calm VM deployment on AHV, see Deploying Calm VM on AHV.
This section describes the steps to deploy a Calm VM on AHV.
You must create a VM with a specific Open Virtualization Format (OVF) image to access the Calm UI.
For more information, see Deploying OVA Template on VMware vSphere section in the VMware documentation .
This section describes the steps to deploy a Calm VM by using the vSphere CLI (govc).
$ govc import.ova -name 5.17.1-prismcentral -3.0.0.1 http://endor.dyn.nutanix.com/GoldImages/calm-vm
If you have downloaded the OVF file on your system, replace http://endor.dyn.nutanix.com/GoldImages/calm-vm with the location of the OVF file.
Running the command starts the uploading process. Once the uploading is complete, power on the Calm VM from the vSphere web client.
Use the following procedure to set up Scale-out version of Calm VM.
cluster stop
cluster destroy
#cluster --cluster_function_list="multicluster" -s <ip1>,<ip2>,<ip3> create
For example:
cluster --cluster_function_list="multicluster" -s 10.46.141.71,10.46.138.20,10.46.138.26 create
cluster --cluster_function_list="multicluster" --cluster_name "<Cluster Name>" -s <ip1>,<ip2>,<ip3> --cluster_external_ip=<vip> create
For example:
cluster --cluster_function_list="multicluster" --cluster_name "Demo" -s 10.46.141.71,10.46.138.20,10.46.138.26 --cluster_external_ip=10.46.141.70 --dns_servers 10.40.64.15,10.40.64.16 create
cd /home/nutanix/bin
python enable_calm.py
cluster status
docker cp /home/nutanix/bin/set_policy_calmvm.pyc nucalm:/home
docker cp /home/nutanix/bin/set_policy.sh nucalm:/home
docker exec nucalm /bin/sh -c '/home/set_policy.sh <POLICY_VM_IP> <POLICy_VM_UUID>'
Use the following steps to enable policy engine for Calm VM.
docker cp /home/nutanix/bin/set_policy_calmvm.py nucalm:/home
docker cp /home/nutanix/bin/set_policy.sh nucalm:/home
docker exec nucalm /bin/sh -c '/home/set_policy.sh <POLICY_VM_IP> <POLICY_VM_UUID>'
policy-engine.tar.gz
file from the Downloads page on to the policy
engine VM.
policy-engine.tar.gz
file.
upgrade.sh
.
docker ps
command to check the status of
policy containers, and wait for the containers to get healthy.
set_policy_calmvm.py
script from the
Downloads page into the
/home/nutanix/bin/
directory of your Calm VM
and provide the execute permission.
set_policy.sh
script from the Downloads page into the
/home/nutanix/bin/
directory of your Calm VM
and provide the execute permission.
By Default, Calm VM uses DHCP IP address. You can use the following procedure to launch Calm VM using a static IP address.
The following table lists the different tabs in Calm, their icons, and their usage:
Icons | Tab | Usage |
---|---|---|
Marketplace tab | To instantly consume application blueprints to provision applications. See Marketplace Overview. | |
Blueprint tab | To create, configure, publish, and launch single-VM or multi-VM blueprints. See Calm Blueprints Overview. | |
Application tab | To view and manage applications that are launched from blueprints. See Applications Overview. | |
Library tab | To create and use variable types and tasks. You use variables and tasks while configuring a blueprint. See Library Overview. | |
Runbooks tab | To automate routine tasks and procedures that pan across multiple applications without involving any blueprints or applications. See Runbooks Overview. | |
Endpoints tab | To create and manage target resources where the tasks defined in a runbook or in a blueprint can run. See Endpoints Overview. | |
Settings tab |
To enable or disable general settings. See General Settings in Calm. To configure and manage provider accounts. See Provider Account Settings in Calm. To configure and manage credential provider. See Configuring a Credential Provider. |
|
Policies tab | To schedule application actions and runbook executions. See Scheduler Overview. | |
Marketplace Manager tab | To manage approval and publishing of application blueprints. See Marketplace Manager Overview. | |
Projects tab | To create users or groups and assign permissions to use Calm. Projects tab also allows you to configure environment for your providers. See Projects Overview. |
You can use the following procedure to explore Calm user interface and get an overview of the Calm components.
You can use the following procedure to access the Calm REST API explorer console from the Calm user interface.
Calm manages the role-based access control using projects. Projects are logical groupings of user roles, accounts, VM templates, and credentials that are used to manage and launch blueprints and applications within your organization. For more information, see Projects Overview.
Users or groups are allowed to view, launch, or manage applications based on the roles that are assigned within the projects. Calm has the following roles for users or groups:
Project admins have full control of the project. They can perform reporting and user management, create blueprints, launch blueprints, and run actions on the applications.
Developers can create blueprints, launch blueprints, and run actions on the applications. They are, however, not allowed to perform reporting and user management.
Consumers can launch new blueprints from the marketplace and run actions on the applications. They are, however, not allowed to create their own blueprints.
Operators have minimum access and are allowed only to run actions against existing applications. They are not allowed to launch new blueprints or edit any existing blueprints.
The following table details the roles and responsibilities in Calm:
Prism Admin | Project Admin | Developer | Consumer | Operator | ||
---|---|---|---|---|---|---|
Marketplace | Enable and Disable | X | ||||
Manage | X | |||||
App publishing request | X | X | X | |||
Send App publishing request to the Administrator | X | X | ||||
Clone and edit App blueprint | X | X | X | |||
Blueprint | Create, update, delete, and duplicate | X | X | X | ||
Read-only | X | X | X | X | ||
Launch | X | X | X | X | ||
Applications | Complete App summary | X | X | X | X | X |
Run functions | X | X | X | X | X | |
App debug mode | X | X | X | X | X | |
Function edit | X | X | X | |||
Create App (brownfield import) | X | X | X | |||
Delete App | X | X | X | X | ||
Settings | CRUD | X | ||||
Task Library | View | X | X | X | X | X |
Create and Update | X | X | X | |||
Delete | X | |||||
Sharing with Projects | X | |||||
Projects | Add project | X | ||||
Update project | X | X | ||||
Add VMs to projects | X | |||||
Custom roles | ||||||
Users | Add users to the system and change roles | X | ||||
Add and remove users to or from a project | X | X | ||||
Change user roles in a project | X | X | ||||
Create Administrator | X | |||||
Create Project Administrator | X | X | ||||
Runbooks | Create and Update | X | X | X | ||
View | X | X | X | X | X | |
Delete | X | X | X | |||
Execute | X | X | X | X | X | |
Endpoints | Create and Update | X | X | X | ||
View | X | X | X | X | X | |
Delete | X | X | X | |||
Scheduler | Create, delete, and clone jobs | X | X | X | X | |
Read job and view execution status | X | X | X | X | X | |
Update job name, schedule, executable, and application action | X | X | X | X | ||
Edit operations on a blueprint launch | X | X | X | X | ||
Edit operations on runbook executions | X | X | X | X | ||
Edit operations on application actions | X | X | X | X | ||
Edit operations on Marketplace launch | X | X | X | X |
When you enable Calm, you get an out-of-the-box blueprint, a default project, and a preconfigured application profile with your Nutanix account. You can use the blueprint, project, and application profile to instantaneously launch your first application.
To quickly provision a Linux or Windows Infrastructure as a Service (IaaS) for your end users, you can configure and launch a single-VM blueprint in Calm.
Provisioning a Linux or Windows IaaS involves configuring the single-VM blueprint VM specifications and launching the blueprint.
The Settings tab allows you to control the overall administrative functionalities of the Calm instances. You must be a Prism Central administrator to access the Settings tab.
You can use the Settings > General tab to control the following functionalities:
Enable Nutanix Marketplace Applications to view and launch ready-to-use application blueprints. These application blueprints appear on the Marketplace Manager tab for publishing. You can publish the blueprints to the marketplace after associating them with a project.
Showback allows you to estimate the overall service cost of the applications running on your on-prem cloud. You can also view the graphical representation of the cost of the applications.
To enable and configure showback, see Enabling Showback.
Enable Showback to configure the resource cost of your applications and monitor them while you configure a blueprint or manage an application. Showback is applicable only for the Nutanix platform and the VMware through vCenter platform.
Disable showback to stop monitoring the resources cost of your application blueprints.
The policy engine is a single-VM setup for the single or scale-out Prism Central. When you enable the policy engine for your Calm instance, a new VM is created and deployed for the policy engine. All you need is an available IP address that belongs to the same network as that of your Prism Central VM for the policy engine VM.
As an administrator, you can enable the policy engine to:
The policy engine is a single-VM setup for the single or scale-out Prism Central.
When you enable the policy engine for your Calm instance, a new VM is created and deployed for the policy engine. All you need is an available IP address that belongs to the same network as that of your Prism Central VM for the policy engine VM.
You can enable the policy engine at a dark site.
<Calm version number>-CalmPolicyVM.qcow2
<Calm version number>-CalmPolicyVM.ova
After you enable the policy engine, you can set up the default quota values for vCPU, memory, and disk. This step is optional.
Setting up quota defaults saves you from repeatedly entering vCPU, memory, and disk quota values for each cluster. After you set the quota defaults, the default quota values populate automatically when you allocate quotas to your provider accounts.
After you enable policy engine, review the policy engine VM configuration, network configuration, and cluster information on the Policies tab of your Setttings page. For example, you can view the power status, protection status, or cluster name of the policy engine VM.
Disable the policy enforcement for your Calm instance if the policy engine VM encounters any connectivity issues or the policy engine VM is not responding.
You can enable approvals for your Calm instance from the settings page.
When you enable approvals, events such as runbook executions, application launch, and application day-2 operations that match the conditions defined in the approval policy go through the approval process.
You can disable approvals for your Calm instance from the Settings page.
When you enable approvals, events such as runbook executions, application launch, and application day-2 operations do not go through the approval process even when they match the conditions defined in the approval policy.
You can view the configuration details and email template on the Policies tab of the Settings page.
The content of the email templates for approver or requester can be modified only using the APIs. You can use the following supported email template variables.
You can use these variables with the {{}} syntax. For example, {{.PCIP}} .
You can view the protection and recovery status of a Calm application when:
You can view the protection and recovery status of the application on the Application Overview page. For more information, see Overview Tab.
To enable the option to show application protection status, see Enabling Application Protection Status View.
Enable the Show App Protection Status toggle button to view the protection and recovery status of a Calm application that is deployed on a Nutanix platform. You must be a Prism Central administrator to enable or disable the toggle button.
Calm automatically archives run logs of the deleted applications and custom actions that are older than three months. You can download the archives within 7 days from the time of archive creation.
For a running application, data is not archived for the system-generated Create actions.
You can get the following information for Start, Restart, Stop, Delete, and Soft Delete system-generated actions and user-created actions.
Calm archives all action details of a deleted application.
Only an administrator can view and download the application log archive. For more information, see Downloading Application Log Archive.
Calm periodically archives application logs to clear resources. You can download the archived application logs from the Settings tab.
Provider accounts are cloud services, baremetals, or existing machines that you can use to deploy, monitor, and govern your applications. You can configure multiple accounts of the same provider.
Use the Settings > Accounts tab to configure provider accounts. You configure provider accounts (by using the provider credentials) to enable Calm to manage applications by using your virtualization resources.
Calm supports the following provider accounts:
Provider Accounts | Description |
---|---|
Nutanix |
All the AHV clusters that are registered to the Prism Central instance are
automatically added as providers.
Note:
If you want to add a remote Prism Central (PC)
instance as a provider in a multi-PC setup, you must add the remote PC instance as
an account in Calm. For more information, see Configuring a Remote Prism Central Account.
|
VMware | To configure a VMware account, see Configuring a VMware Account. |
AWS | To configure an AWS account, see Configuring an AWS Account. |
Azure | To configure an Azure account, see Configuring an Azure Account. |
GCP | To configure a GCP account, see Configuring a GCP Account. |
Kubernetes | To configure a Kubernetes account, see Configuring a Kubernetes Account. |
Xi Cloud | To configure Xi Cloud as a provider, see Configuring a Xi Cloud Account. |
All AHV clusters that are registered to your Prism Central instance are automatically added as provider accounts to Calm.
You can also configure any remote Prism Central (PC) as an account in Calm to deploy applications on the remote PC. For more information, see Support for Multi-PC Setup.
In a multiple Prism Centrals (multi-PC) setup, a central Calm instance (called global Calm instance) runs only on one of the PCs (called host or parent PC) and all the other PCs are connected to the central Calm instance as the remote PCs.
The global Calm instance can now manage the applications deployed on the geographically distributed Prism Centrals (also called remote PCs) without the need of separate Calm instances for every PC. A remote PC is only used to provision the tasks for the deployed applications.
In a multi-PC environment, every remote PC is added as an account to the host PC and you can add the account to your project before creating and launching a blueprint.
For more information about adding a remote PC as an account, see Configuring a Remote Prism Central Account.
For more information about adding the account to a project, see Adding Accounts to a Project.
To deploy an application on a remote PC, you must configure the remote PC as an account in Calm.
You require the role of a Prism Admin to configure a remote PC account.
For more information about multiple Prism Central setup support, see Support for Multi-PC Setup.
Calm lets you use Virtual Private Clouds within the Flow Virtual Networking framework to network the VMs using overlay networks. A VPC is an independent and isolated IP address space that functions as a logically isolated virtual network. VMs that you create with VPC Subnets cannot communicate with a VM that is outside the VPC. Even the VMs outside the VPC cannot reach the VMs within the VPC.
In the absence of this direct communication, you can set up tunnels to communicate with the VMs within the VPC for orchestration activities and to run script-based tasks. You can set up the tunnel VM in any one of the subnets within the VPC.
To set up tunnels for your VPCs, you must:
For more information on creating VPC tunnels, see Creating VPC Tunnels.
In your Nutanix account, you set up tunnels to get access to the VMs that are created within the VPCs.
The tunnels that you create enables you to perform check log-in and run script-based execution tasks on the VMs that use the overlay subnets of the VPC.
If tunnel is not configured for the selected VPC, you can only perform basic operations (such as VM provisioning) on the VPC.
Configure your VMware account in Calm to manage applications on the VMware platform.
To refer to the video about setting up VMware as provider, click here.
The following table provides the complete list of permissions that you need to enable in vCenter before you configure your VMware account in Calm.
Entity | Permission |
---|---|
Datastore |
|
Network |
|
Resource |
|
vSphere Tagging |
|
Virtual Machine > Change Configuration |
|
Virtual Machine > Interaction |
|
Virtual Machine > Edit Inventory |
|
Virtual Machine > Provisioning |
|
You must define the custom role at the vCenter level instead of the Datacenter level. For information on how to enable permissions in vCenter, see the vSphere Users and Permissions section in the VMware documents.
Calm supports the following versions of vSphere.
Configure your AWS account in Calm to manage applications on the AWS platform.
nutanix@cvm$ ncli cluster get-name-servers
GovCloud (US) is an isolated AWS region to help the United States government agencies and federal IT contractors host sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements.
The AWS GovCloud (US) region supports the management of regulated data by restricting physical and logical administrative access to U.S. citizens only.
To manage applications on the AWS platform using Calm, you must have a privileged AWS user account with an appropriate policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListSSHPublicKeys",
"iam:GetSSHPublicKey",
"iam:GetAccountPasswordPolicy",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"ec2:CreateImage",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:DisassociateIamInstanceProfile",
"ec2:RegisterImage",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot",
"ec2:GetConsoleOutput",
"ec2:Describe*",
"ec2:DeleteTags",
"ec2:TerminateInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["iam:ListUserPolicies"],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Effect": "Allow",
"Action": ["iam:PassRole"],
"Resource": ["arn:aws:iam::*:role/*"]
}
]
}
The following table displays the list of user policy privileges and the corresponding JSON attributes that you can add in the JSON syntax to assign different privileges to a user.
To create | JSON attributes |
---|---|
EC2 Instances |
ec2:RunInstances
|
Volumes |
ec2:CreateVolume
|
Snapshot |
ec2:CreateSnapshot
|
Image(AMI) |
ec2:CreateImage
|
To list or get | JSON attributes |
SSH Public Keys for all users |
iam:ListSSHPublicKeys
|
List IAM Roles |
iam:ListRoles
|
EC2 attributes |
ec2:Describe*
|
EC2 instance console output |
ec2:GetConsoleOutput
|
IAM user policies for the user |
iam:ListUserPolicies
|
To update | JSON attributes |
Image(AMI) attributes |
ec2:ModifyImageAttribute
|
To delete | JSON attributes |
EC2 Instances |
ec2:TerminateInstances
|
Instance Tags |
ec2:DeleteTags
|
Snapshot |
ec2:DeleteSnapshot
|
Images(deregister images) |
ec2:DeregisterImage
|
Others | JSON attributes |
Start/Stop/Restart Instances |
ec2:RunInstances, ec2:StartInstances, ec2:StopInstances,
ec2:RebootInstances
|
Pass and IAM role to service |
iam:PassRole
|
Configure your GCP account in Calm to manage applications on the GCP platform.
Configure your Azure account in Calm to manage applications on the Azure platform.
You must have a privileged Azure user account to manage applications on an Azure platform using Calm.
To refer to a video about assigning minimum privilege to configure Azure account to work with Calm, click here.
{
"Name": "Calm Admin",
"IsCustom": true,
"Description": "For calm to manage VMs on azure provisioned from calm applications",
"Actions": [
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/checknameavailability/read",
"Microsoft.Storage/skus/read",
"Microsoft.Network/virtualNetworks/subnets/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/networkSecurityGroups/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/publicIPAddresses/*",
"Microsoft.Network/publicIPPrefixes/*",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/write",
"Microsoft.Compute/disks/*",
"Microsoft.Compute/images/read",
"Microsoft.Compute/images/write",
"Microsoft.Compute/locations/publishers/read",
"Microsoft.Compute/locations/publishers/artifacttypes/offers/read",
"Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/read",
"Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/versions/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/snapshots/*",
"Microsoft.Compute/locations/vmSizes/read",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.GuestConfiguration/*/read",
"Microsoft.GuestConfiguration/*/write",
"Microsoft.GuestConfiguration/*/action",
"Microsoft.Compute/galleries/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/vaults/deploy/action"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/<subscription id>"
]
}
az role definition create --role-definition <file>.json
az ad sp create-for-rbac -n "CalmAccount" --role "Calm Admin"
Configure your Kubernetes account in Calm to manage applications on the Kubernetes platform.
For Calm to manage workloads on Amazon EKS, Azure Kubernetes Service (AKS), Anthos or Red Hat OpenShift, enable the generic authentication mechanism and create a service account on the Kubernetes cluster. You can then use the service account to communicate with the cluster.
kubectl create serviceaccount ntnx-calm
kubectl create clusterrolebinding ntnx-calm-admin --clusterrole
cluster-admin --serviceaccount default:ntnx-calm
SECRET_NAME=$(kubectl get serviceaccount ntnx-calm -o
jsonpath='{$.secrets[0].name}')
kubectl get secret ${SECRET_NAME} -o jsonpath='{$.data.token}' |
base64 –decode
kubectl config view --minify --raw -o
jsonpath='{.clusters[*].cluster.certificate-authority-data}' | base64
–decode
To manage workloads on Nutanix Xi Cloud, add your Xi Cloud as an account in Calm if your Prism Central is paired with a Xi cloud. Calm automatically discovers the availability zones of the Xi Cloud and allows you to add the Xi Cloud account as a provider account.
Calm automates the provisioning and management of infrastructure resources for both private and public clouds. When any configuration changes are made directly to the Calm-managed resources, Calm needs to sync up the changes to accurately calculate and display quotas and Showback information.
Platform sync enables Calm to synchronize any changes in the clusters that are managed by Calm on connected providers. These changes can be any IP Address changes, disk resizing, unavailability of VMs, and so on.
For example, when a VM is powered off externally or deleted, platform sync updates the VM status in Calm. Calm then adds the infrastructure resources consumed by the VM (memory and vCPU) to the total available quota.
You can specify an interval after which the platform sync must run for a cluster. For more information, see Configuring a Remote Prism Central Account and Configuring a VMware Account.
Platform sync enables Calm to synchronize any changes in the clusters that are managed by Calm on connected providers. These changes can be any IP Address changes, disk resizing, unavailability of VMs, and so on. You can sync up the configuration changes instantly for your accounts.
Allocate resource quotas to your accounts to have a better control over the infrastructure resources (computer, memory, and storage) that are provisioned through Calm. Based on the resource quota you allocate, the policy engine enforces quota checks when applications are launched, scaled-out, or updated.
Use the utilization report to analyze how the projects to which the cluster is assigned consumed the allocated resources of the cluster. For example, if a Nutanix cluster is assigned to three different projects, you can analyze how the assigned projects consumed the allocated resources of that cluster.
Credentials help in abstracting identity settings while connecting to an external system. Credentials are used to authenticate a user to access various services in Calm. Calm supports key-based and password-based authentication method.
Credentials are used in multiple Calm entities and workflows.
Environment allows a Project Admin to add multiple credentials and configure VM default specifications for each of the selected providers as a part of project and environment configurations.
Project admins must configure an environment before launching an application from the marketplace. The recommendation is to have at least one credential of each secret type (SSH or password) to be defined under each environment in the project. These values get patched wherever the credential values are empty when you launch your marketplace items.
Developers can add credentials to a blueprint. These credentials are referenced after the VM is provisioned. Credentials defined within an environment of a project have no significance or impact on the credentials you define within the blueprint.
Calm supports export and import of blueprints across different Prism Central or Calm instances along with the secrets. The developer uses a passphrase to encrypt credentials and then decrypts credentials in a different instance using the same passphrase to create a blueprint copy.
All global marketplace items have empty credentials values. However, locally published blueprints can have the credential values if the developer published the blueprint with the Publish with Secret s option enabled.
When you launch a marketplace item, credentials are patched wherever the value is empty. In case there are multiple credentials of a particular type configured within the environment of a project, you get the option to select a credential for the launch.
Owners can change the credential value of an application multiple times until the application is deleted. The latest value of a credential that is available at that point in the application instance is used when an action is triggered.
Any change in the credential value at the application level does not impact the credential value at the corresponding blueprint level.
Calm allows managing the following types of credentials:
Static credentials in Calm are modelled to store secrets (password or SSH private key) in the credential objects that are contained in the blueprints that the applications copy.
Calm supports external credential store integration for dynamic credentials. A credential store holds username and password or key certificate combinations and enables applications to retrieve and use credentials for authentication to external services whenever required. As a developer, you can:
For more information about configuring a credential provider, see Configuring a Credential Provider.
When a blueprint uses a dynamic credential, the secret (password or SSH private key) is not stored in the credential objects within the blueprint. The secret values are fetched on demand by executing the runbook within the credential provider that you configure in Calm and associate with the blueprint.
Calm supports external credential store integration for dynamic credentials.
As a developer, you can define variable, runbook, and attributes in a dynamic credential provider definition.
A project defines Active Directory users or groups to manage common set of requirements or functions. For example, a project can define a team collaborating on an engineering project. A project specifies roles to associate its members, select existing networks that the deployed VMs can use, and (optionally) set usage limits on infrastructure resources.
The refactored project provides a consistent experience when you access it from Prism Central or from Calm. However when Calm is enabled, you can also configure application management specific features in your projects.
For more information on the Project Summary view and Project Details view, see Project Summary View and Project Details View.
For more information on how to create a project, add users, add infrastructure, configure environments, and managing quota and snapshot policies, see Projects Overview in the Prism Central Guide.
A blueprint is the framework for every application that you model by using Calm. Blueprints are templates that describe all the steps that are required to provision, configure, and execute tasks on the services and applications that you create.
You create a blueprint to represent the architecture of your application and then run the blueprint repeatedly to create an instance, provision, and launch applications.
A blueprint also defines the lifecycle of an application and its underlying infrastructure; starting from the creation of the application to the actions that are carried out on a blueprint until the termination of the application.
You can use blueprints to model the applications of various complexities; from simply provisioning a single virtual machine to provisioning and managing a multi-node, multi-tier application.
Calm uses services, application profiles, packages, substrates, and actions as building blocks for a blueprint to define applications.
An application is made up of multiple components (or services) working together. The architecture of an application is composed of compute, storage, network, and their connections and dependencies. Services are logical entities that are exposed by an IP address. End users and services communicate with each other over a network through their exposed IP addresses and ports. For more information, see Services Overview.
Any useful blueprint requires infrastructure for instantiation. A blueprint can specify the exact infrastructure or can be completely left to the blueprint user to specify at the time of instantiation.
An application profile provides different combinations of the service, package, and VM (infrastructure choices) while configuring a blueprint. The application profile allows you to use the same set of services and packages on the different platforms. You select an application profile while launching your blueprint.
Application profiles determine where an application should run, for example, on a Nutanix provider account or on an Azure account. Application profiles also control the T-shirt sizing of an application. T-shirt sizing means that the value of a variable might change based on the selection of a small or a large instance of an application.
If Showback feature is enabled, the application profile also displays service cost of the resources used for an application.
Package Install and Uninstall are operations that are run when you first launch a blueprint or when you finally delete the entire application. In other words, these operations are run during the Create or Delete profile actions. Package Install and Uninstall are unique to each application profile, which means that the tasks or the task contents can vary depending upon the underlying cloud or the size.
Package install is commonly used for installing software
packages. For example, installing PostgreSQL with
sudo yum -y install
postgresql-server postgresql-contrib
.
Substrates are a combination of the underlying cloud and the virtual machine instance. When you select the desired cloud, Calm displays all of the fields required for creating a virtual machine instance on that particular cloud. The combination of all these fields constitutes a substrate. Substrates are the infrastructure abstraction layer for Calm. Calm can quickly change where or how applications are deployed by simply changing the substrate.
Actions are runbooks to accomplish a particular task on your application. You can use actions to automate any process such as backup, upgrade, new user creation, or clean-up, and enforce an order of operations across services. For more information, see Actions Overview.
Calm also has a few other components that you can use while configuring your blueprints.
Calm macros are part of a templating language for Calm scripts. These are evaluated by Calm's execution engine before the script is run. Macros help in making scripts generic and creating reusable workflows. For more information, see Macros Overview.
Variables are either user defined or added to the entities by Calm. Variables are always present within the context of a Calm entity and are accessible directly in scripts running on that entity or any of its child entities. For more information, see Variables Overview.
Categories (or tags) are metadata labels that you assign to your cloud resources to categorize them for cost allocation, reporting, compliance, security, and so on. Each category is a combination of key and values. For more information, see Categories Overview.
Dependencies are used to define the dependence of one service in your application on another service or multiple other services for properties such as IP addresses and DNS names. For example, if service 2 is dependent on service 1, then service 1 starts first and stops after service 2.
For information about how to define dependencies between services, see Setting up the Service Dependencies.
You can configure the following blueprint types in Calm.
A single-VM blueprint is a framework that you can use to create and provision an instance and launch applications that require only one virtual machine. Single-VM blueprints enable you to quickly provide Infrastructure-as-a-Service (IaaS) to your end users. For more information, see Creating a Single-VM Blueprint.
A multi-VM blueprint is a framework that you can use to create an instance, provision, and launch applications requiring multiple VMs. You can define the underlying infrastructure of the VMs, application details, and actions that are carried out on a blueprint until the termination of the application. For more information, see Creating a Multi-VM Blueprint.
The blueprint editor provides a graphical representation of various components that allow you to visualize and configure the components and their dependencies in your environment.
Use the Blueprints tab to perform actions, such as:
Services are the virtual machine instances, existing machines or bare-metal machines, that you can provision and configure by using Calm. You can either provision a single service instance or multiple services based on the topology of your application. A service can only expose an IP address and ports on which the request is received. After a service is configured, you can clone or edit the service as required.
A service includes the following entities:
A VM defines the configuration of the virtual machine instance, the platform on which the VM will be installed, and the connection information of the machine. For example, as shown in the following figure, you need to define the name, cloud, operating system, IP address, and the connection information for an existing machine.
A package enables you to install and uninstall software on an existing machine or bare metal machine by using a script. You need to provide the credentials of the VM on which you need to run the script. A sample script is shown in the following figure. Package also defines the port number and the protocol that is used to access the service.
A service enables you to create the variables that are used to define the service-level tasks and service-level actions. As part of the service, you can also define the number of replicas that you want to create of a service. The maximum number of replicas allowed is 300.
For information about how to configure a service, see Configuring Nutanix and Existing Machine VM, Package, and Service.
Calm macros are part of a templating language for Calm scripts. These are evaluated by Calm's execution engine before the script is run.
Macros enable you to access the value of variables and properties that are set on entities. The variables can be user defined or system generated. For more information, see Variables Overview.
Macros help in making scripts generic and creating reusable workflows. You can use macros in tasks within the blueprints or in the configuration of Calm entities, such as the VM name.
Macros require a set of delimiters for evaluation. These are @@{ and }@@ . Everything within these delimiters is parsed and evaluated. For example,
Macros support the following entities.
Macros support the following data types.
Data Type | Usage |
---|---|
String |
@@{"some string"}@@ or @@{'some string'}@@
Note:
Newline or other such special
characters are not supported. You can use \ to escape quotes.
|
Numbers |
Supports integer and float. For example, @@{ 10 + 20.63 }@@
Note:
All variables
are treated as strings.
|
Macros support the following operations.
Calm allows you to access macros of an array service using a special macro which starts with calm_array . You can configure a VM with replicas and access the common macros of all the replicas. For example, you can:
@@{calm_array_name}@@
@@{calm_array_address}@@
@@{calm_array_id}@@
The following table lists the built-in macros that you can use to retrieve and display the entities.
Macro | Usage |
---|---|
@@{calm_array_index}@@ | Index of the entity within an array |
@@{calm_blueprint_name}@@ | Name of the blueprint from which the application was created |
@@{calm_blueprint_uuid}@@ | Universally unique identifier (UUID) of the blueprint from which the application was created |
@@{calm_application_name}@@ | Name of the application |
@@{calm_application_uuid}@@ | UUID of the application |
@@{calm_uuid}@@ | UUID of the entity within the application on which the current task is running |
@@{calm_random}@@ | A random number is generated each time this is used. This will be evaluated each time and should not be used in fields such as VM name. |
@@{calm_unique}@@ | A random number that is unique to this replica. This will be evaluated to the same value across runs. |
@@{calm_jwt}@@ | JWT for the currently logged in user for API authentication. |
@@{calm_now}@@
@@{calm_today}@@ |
The current time stamp |
@@{calm_time(“<format>”)}@@ | The current time in the specified format |
@@{calm_year(“YYYY”)}@@
@@{calm_year(“YY”)}@@ |
The current year in YYYY or YY format |
@@{calm_month(“short”)}@@
@@{calm_month(“long”)}@@ |
Name of the current month in long or short format |
@@{calm_day(“month”)}@@
@@{calm_day(“year”)}@@ |
Numeric day of the month or year |
@@{calm_weeknumber}@@
@@{calm_weeknumber(“iso”)}@@ |
ISO Numeric week of the year |
@@{calm_weekday(“number”)}@@
@@{calm_weekday(“name_short”)}@@ @@{calm_weekday(“name_long”)}@@ |
Day of the week in numeric or short name or long name |
@@{calm_hour(“12”)}@@
@@{calm_hour(“24”)}@@ @@{calm_hour(“am_pm”)}@@ |
Numeric hour of the day in 12:00-hour or 24:00-hour format along with AM or PM |
@@{calm_minute}@@ | Numeric minute |
@@{calm_second}@@ | Numeric second |
@@{calm_is_weekday}@@ | Displays 1 if the current day is a weekday |
@@{calm_is_long_weekday}@@ | Displays 1 if the current day is a weekday from Monday to Saturday |
@@{calm_is_within("time1", "time2")}@@ | Displays 1 if the current time is within the time1 and time2 range |
@@{calm_project_name}@@ | Displays the project name |
@@{calm_username + @nutanix.com}@@ | Displays the username |
@@{calm_float("32.65") * 2}@@
@@{calm_int(calm_array_index) + 1}@@ |
Typecast to integer. This is useful for binary operations. |
@@{calm_string(256) + "-bit"}@@
@@{"xyz" + calm_string(42)}@@ |
Typecast to string. This is useful for string concatenation. |
@@{calm_b64encode(api_response)}@@
@@{calm_b64encode("a,b,c")}@@ |
Base64 encode the data passed to this macro. |
@@{calm_b64encode(b64_encoded_data)}@@
@@{calm_b64encode("YSxiLGM=")}@@ |
Base64 decode the data passed to this macro. |
You can access the properties of a VM by using the platform macros. The following section describes the macros to access the VM properties for different providers.
Macro | Usage |
---|---|
@@{platform}@@ | To access all the properties of a VM. |
@@{platform.status.cluster_reference.uuid}@@ | To access the uuid of the cluster or the Prism element. |
@@{platform.status.resources.nic_list[0].mac_address}@@ |
To access mac the address.
Note:
Use the
nic_list
index to
access the mac address of a specific nic.
|
@@{platform.status.resources.nic_list[0].subnet_reference.name}@@ | To access the NIC name. |
@@{platform.status.resources.power_state}@@ | To get the state of the VM. |
@@{platform.status.num_sockets}@@ | To access number of sockets of the VM. |
Macro | Usage |
---|---|
@@{platform}@@ | To access all the properties of a VM. |
@@{platform.datastore[0].Name}@@ | To access the datastore name. |
@@{platform.num_sockets}@@ | To access number of sockets of the VM. |
Macro | Usage |
---|---|
@@{platform}@@ | To access all the properties of a VM. |
@@{platform.creationTimestamp}@@ | To get the VM creation time stamp. |
@@{platform.selfLink}@@ | To access the self link of the VM. |
@@{platform.networkInterfaces[0].subnetwork}@@ | To access the network details of the VM. |
The following table lists the endpoint macros for HTTP, Linux, and Windows endpoint types.
Macro | Usage |
---|---|
@@{endpoint.name}@@ | Name of the endpoint |
@@{endpoint.type}@@ | Type of the endpoint |
@@{endpoint.length}@@ | Number of IP Addresses in the endpoint |
@@{endpoint.index}@@ | Index of the IP address or VM in a given endpoint |
@@{endpoint.base_url}@@ | Base URL of the HTTP endpoint |
@@{endpoint.connection_timeout}@@ | Time interval in seconds after which the connection attempt to the endpoint stops |
@@{endpoint.retry_count}@@ | Number of attempts the system performs to create a task after each failure |
@@{endpoint.retry_interval}@@ | Time interval in seconds for each retry if the task fails |
@@{endpoint.tls_verify}@@ | Verification for the URL of the HTTP endpoint with a TLS certificate |
@@{endpoint.proxy_type}@@ | HTTP(s) proxy/SOCKS5 proxy to use |
@@{endpoint.base_urls}@@ | Base URLs of HTTP endpoints |
@@{endpoint.authentication_type}@@ | Authentication method to connect to an HTTP endpoint: Basic or None |
@@{endpoint.credential.username}@@ | User name in the credential to access the endpoint |
@@{endpoint.credential.secret}@@ | Credential secret type to access the endpoint: Passphrase or SSH Private Key |
Macro | Usage |
---|---|
@@{endpoint.name}@@ | Name of the endpoint |
@@{endpoint.type}@@ | Type of the endpoint |
@@{endpoint.length}@@ | Number of IP Addresses in the endpoint |
@@{endpoint.index}@@ | Index of the IP address or VM in a given endpoint |
@@{endpoint.address}@@ | IP address to access the endpoint device |
@@{endpoint.port}@@ | Port number to access the endpoint |
@@{endpoint.value_type}@@ | Target type of the endpoint: IP address or VM |
@@{endpoint.addresses}@@ | IP addresses to access endpoint devices |
@@{endpoint.credential.secret}@@ | Credential secret type to access the endpoint: Passphrase or SSH Private Key |
@@{endpoint.credential.username}@@ | User name in the credential to access the endpoint |
Macro | Usage |
---|---|
@@{endpoint.name}@@ | Name of the endpoint |
@@{endpoint.type}@@ | Type of the endpoint |
@@{endpoint.length}@@ | Number of IP Addresses in the endpoint |
@@{endpoint.index}@@ | Index of the IP address or VM in a given endpoint |
@@{endpoint.address}@@ | IP address to access the endpoint device |
@@{endpoint.port}@@ | Port number to access the endpoint |
@@{endpoint.value_type}@@ | Target type of the endpoint: IP address or VM |
@@{endpoint.connection_protocol}@@ | Connection protocol to access the endpoint: HTTP or HTTPS |
@@{endpoint.addresses}@@ | IP addresses to access endpoint devices |
@@{endpoint.credential.secret}@@ | Credential secret type to access the endpoint: Passphrase or SSH Private Key |
@@{endpoint.credential.username}@@ | User name in the credential to access the endpoint |
The following table lists the runbook macros.
Macro | Usage |
---|---|
@@{calm_runbook_name}@@ | Name of the runbook |
@@{calm_runbook_uuid}@@ | Universally unique identifier (UUID) of the runbook |
The following table lists the common properties of the virtual machine that are available for usage.
Properties | Usage |
---|---|
@@{address}@@ | IP address of the instance that is used by Calm to access the VM |
@@{id}@@ | ID of the platform identifier |
@@{name}@@ | Name of the VM or container |
@@{mac_address}@@ | Mac address of the VM |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
Macros provide a way to access the values of variables that you set on entities. Variables are either user defined or added to the entities by Calm. Variables are always present within the context of a Calm entity and are accessible directly in scripts running on that entity or any of its child entities.
The variable value of a parent entity can be accessed by the child entity unless the properties or the variables are overridden by another entity.
For example, if Variable1 is a variable that you defined on the application profile, then all child entity of the application profile can directly access the value of Variable1 in any task or script running on it as @@{variable1}@@ unless overridden by another entity.
Variables are directly accessed as @@{variable_name}@@ within any task on an entity where the variable is defined and all child entity that inherit this variable. This syntax only delivers the value for the corresponding replica in which the task is running. To get comma-separated values across replicas, you can use @@{calm_array_variable_name}@@ .
For example, on a service with 2 replicas, if you set a backup_dir variable through a set variable Escript task such as:
print "backup_dir=/tmp/backup_@@{calm_array_index}@@"
You get /tmp/backup_0 and /tmp/backup_1 values for replica 0 and 1 respectively.
When a task runs on this service with the echo "@@{backup_dir}@@" script, the script evaluates the following values in each replica of the service:
/tmp/backup_0
/tmp/backup_1
When you change the script to echo "@@{calm_array_backup_dir}@@" , the script evaluates to the following values in each replica of the service:
/tmp/backup_0,/tmp/backup_1
/tmp/backup_0,/tmp/backup_1
The syntax to access the value of variables or properties of other entities or dependencies is @@{<entity name>.<variable/attribute name>}@@ where entity name , is the name of the other entity or dependency and variable/attribute name is the name of the variable or attribute. For example:
Action-level variables are variables that are associated to an action and passed as an argument to the runlog when you run the action. Service action variables are unique for each service while the profile action variables are unique for each profile across all services and replicas. If you deploy five replicas, the service action variables will be the same across all replicas.
Action variables are used in the context of running an action and are defined at the action level. For example, if you have an action to install or uninstall a package on a particular VM, you can have the following action variables.
With multiple runs of this action, you can then install or uninstall multiple packages on the VM.
The following table lists the Nutanix variables that are available for usage.
Variables | Usage |
---|---|
@@{address}@@ | IP address of the instance that is used by Calm to access the VM |
@@{id}@@ | ID of the platform identifier |
@@{name}@@ | Name of the VM or container |
@@{mac_address}@@ | Mac address of the VM |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the built-in VMware macros that you can use to retrieve and display the entities.
Properties | Usage |
---|---|
@@{address}@@ | IP address of the instance that is used by Calm to access the VM |
@@{id}@@ | ID of the platform identifier |
@@{name}@@ | Name of the VM or container |
@@{mac_address}@@ | Mac address of the VM |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the built-in AWS macros that you can use to retrieve and display the entities.
Macros | Usage |
---|---|
@@{address}@@ |
IP address of the instance that is used by Calm to access the VM.
Note:
The
VM Name
field does not support this macro.
|
@@{id}@@ |
Internal ID of the instance that is used within the Prism.
Note:
The
VM Name
field does not support this macro.
|
@@{name}@@ |
Name of the VM.
Note:
The
VM Name
field does not support
this macro.
|
@@{aws_instance_id}@@ | Instance ID of AWS |
@@{private_ip_address}@@ | Private IP address |
@@{private_dns_name}@@ | Private DNS name |
@@{public_ip_address}@@ | Public IP address |
@@{public_dns_name}@@ | Public DNS name |
@@{vm_zone}@@ | AWS zone of instance |
@@{platform}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the built-in GCP macros that you can use to retrieve and display the entities.
Macros | Usage |
---|---|
@@{address}@@
@@{ip_address}@@ @@{public_ip_address}@@ |
IP address of the instance that is used by Calm to access the VM.
Note:
The
VM Name
field does not support this macro.
|
@@{id}@@ |
Internal ID of the instance that is used within the Prism.
Note:
The
VM Name
field does not support this macro.
|
@@{name}@@ |
Name of the VM.
Note:
The
VM Name
field does not support
this macro.
|
@@{zone}@@ | Zone in which the VM instance is created. |
@@{platform_data}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
@@{internal_ips}@@ | List of all the private IP addresses. |
@@{external_ips}@@ | List of all the public IP addresses. |
The following table lists the built-in Azure macros that you can use to retrieve and display the entities.
Macros | Usage |
---|---|
@@{address}@@ |
IP address of the instance that is used by Calm to access the VM.
Note:
The
VM Name
field does not support this macro.
|
@@{id}@@ |
Internal ID of the instance that is used within the Prism.
Note:
The
VM Name
field does not support this macro.
|
@@{name}@@ |
Name of the VM.
Note:
The
VM Name
field does not support
this macro.
|
@@{private_ip_address}@@ | Private IP address |
@@{public_ip_address}@@ | Public IP address |
@@{resource_group}@@ | Resource group name in which the VM instance is created. |
@@{platform_data}@@ | Platform response for a GET query. This is the response in JSON format from provider. |
The following table lists the Kubernetes variables that are available for usage.
Properties | Usage |
---|---|
@@{K8sPublishedService.address}@@ | IP address of the service. |
@@{K8sPublishedService.name}@@ | Name of the service. |
@@{K8sPublishedService.ingress}@@ | Load balancer IP for public service. |
@@{K8sPublishedService.platform}@@ | Platform data for the service. |
@@{K8sDeployement.name}@@ | Name of the deployment. |
@@{K8sDeployement.platform}@@ | Platform data for the deployment. |
Categories (or tags) are metadata labels that you assign to your cloud resources to categorize them for cost allocation, reporting, compliance, security, and so on. Each category is a combination of key and values.
Your providers impose a limit to the number of tags that you can use for cloud governance. The following table lists the category or tag limit imposed by each provider:
Providers | Category or Tag Limit |
---|---|
Nutanix | 30 |
AWS | 50 |
VMware | No limit |
GCP | 15 |
Azure | 15 |
Calm reserves 6 tags out of the total tags allowed by your provider and populates them automatically when you provision your VMs using Calm. For example, AWS allows a limit of 50 tags. When you provision your VM on AWS using Calm, 6 out of 50 tags are automatically populated with keys and values specific to Calm VM provisioning. You can use the remaining 46 tags to define other key-value pairs.
The following table lists the Calm-specific categories or tags and their availability for different providers:
Categories or Tags | Nutanix | AWS | VMware | GCP | Azure |
---|---|---|---|---|---|
account_uuid | X | X | X | X | |
CalmApplication | X | X | X | X | X |
CalmService | X | X | X | X | X |
CalmUsername | X | X | X | X | X |
Calm Project | X | X | X | X | |
OSType | X | X | X | X | X |
A single-VM blueprint is a framework that you can use to create and provision an instance and launch applications that require only one virtual machine.
Single-VM blueprints enable you to quickly provide Infrastructure-as-a-Service (IaaS) to your end users.
You can create single-VM blueprints with your Nutanix, VMware, AWS, GCP, or Azure accounts. Use these steps to create a single-VM blueprint with any of your provider accounts.
Perform the following steps to do the preliminary setup of your single-VM blueprint.
Perform the following steps to add VM details to your blueprint.
Configuring the VM in your blueprint is specific to the provider account and the operating system you select for your blueprint. You can configure the VM in a blueprint with Nutanix, VMware, AWS, GCP, or Azure accounts.
Perform the following steps to configure the VM in a single-VM blueprint for your Nutanix account.
vm-@@{calm_time}@@
. For more information on Calm macros,
see Macros Overview.
Perform the following steps to configure the VM in a single-VM blueprint for your VMware account.
Templates allow you to create multiple virtual machines with the same characteristics, such as resources allocated to CPU and memory or the type of virtual hardware. Templates save time and avoid errors when configuring settings and other parameters to create VMs. The VM template retrieves the list options from the configured vCenter.
For more information, refer to VMware KB articles.
A content library stores and manages content (VMs, vApp templates, and other types of files) in the form of library items. A single library item can consist of one file or multiple files. For more information about the vCenter content library, see the VMware Documentation .
Perform the following steps to configure the VM in a single-VM blueprint for your GCP account.
Perform the following steps to configure the VM in a single-VM blueprint for your AWS account.
Perform the following steps to configure the VM in a single-VM blueprint for your Azure account.
The Resource Group list displays the resource groups that are associated with the subscriptions you selected in your Azure account. In case you have not selected any subscriptions, Calm considers all the subscriptions that are available in the Azure service principal to display the resource groups. Each resource group in the list also displays the associated subscription.
Perform the following steps to configure the VM in a single-VM blueprint for your Xi Cloud account.
vm-@@{calm_time}@@
. For more information on Calm macros,
see Macros Overview.
Perform the following steps to configure advanced options such as credentials, packages, pre-create and post-delete tasks. Configuring advanced options is optional for a blueprint.
Perform the following steps to configure pre-create task, post-delete task, install package, or uninstall package in a single-VM blueprint.
Perform the following steps to configure application variables in your blueprint.
[
{
"display": "HTML Tutorial",
"url": "https://www.w3schools.com/html/default.asp"
},
{
"display": "CSS Tutorial",
"url": "https://www.w3schools.com/css/default.asp"
},
{
"display": "JavaScript Tutorial",
"url": "https://www.w3schools.com/js/default.asp"
},
{
"display": "jQuery Tutorial",
"url": "https://www.w3schools.com/jquery/default.asp"
},
{
"display": "SQL Tutorial",
"url": "https://www.w3schools.com/sql/default.asp"
},
{
"display": "PHP Tutorial",
"url": "https://www.w3schools.com/php/default.asp"
},
{
"display": "XML Tutorial",
"url": "https://www.w3schools.com/xml/default.asp"
}
]
Then,
during the launch time the list options are ["HTML Tutorial","CSS
Tutorial","JavaScript Tutorial","jQuery Tutorial","SQL Tutorial","PHP
Tutorial","XML Tutorial"].
A multi-VM blueprint is a framework that you can use to create an instance, provision, and launch applications that require multiple VMs.
In a Multi-VM blueprint, you can define the underlying infrastructure of the VMs, application details, and actions that are carried out on a blueprint until the termination of the application.
Services are the virtual machine instances, existing machines or bare-metal machines, that you can provision and configure by using Calm. A service exposes the IP address and ports on which the request is received. You can either provision a single-service instance or multiple services based on the topology of your application.
For more information about services in Calm, see Services Overview.
You can define and configure the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application for a service provider.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on a Nutanix platform.
vm-@@{calm_array_index}@@-@@{calm_time}@@
. For more
information on Calm macros, see Macros Overview.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on an AWS platform.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on a VMware platform.
Templates allow you to create multiple virtual machines with the same characteristics, such as resources allocated to CPU and memory or the type of virtual hardware. Templates save time and avoid errors when configuring settings and other parameters to create VMs. The VM template retrieves the list options from the configured vCenter.
For more information, refer to VMware KB articles.
A content library stores and manages content (VMs, vApp templates, and other types of files) in the form of library items. A single library item can consist of one file or multiple files. For more information about the vCenter content library, see the VMware Documentation .
To know the supported VMware guest tools versions, see the
VMware Product Interoperability Matrices .
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on a GCP platform.
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on an Azure platform.
The Resource Group list displays the resource groups that are associated with the subscriptions you selected in your Azure account. In case you have not selected any subscriptions, Calm considers all the subscriptions that are available in the Azure service principal to display the resource groups. Each resource group in the list also displays the associated subscription.
For Windows VMs, the Store field specifies the certificate store on the virtual machine to which the certificate is added. The specified certificate store is implicitly created in the LocalMachine account.
For Linux VMs, the certificate file is placed under the /var/lib/waagent directory. The format of the file name is <UppercaseThumbprint>.crt for the X509 certificate and <UppercaseThumbpring>.prv for private key. Both of these files are .pem formatted.
The following section describes Azure troubleshooting.
/home/calm/log/styx.log
You can define the underlying infrastructure of the VM, application details, and actions that are carried out on a blueprint until the termination of the application on Xi cloud provider.
Xi Infrastructure Service Admininistration
Guide.
Perform the following procedure to configure Kubernetes Deployment, Containers, and Service.
A Pod is the basic execution unit of a Kubernetes application and the smallest and simplest unit in the Kubernetes object model that you create or deploy. A Pod represents processes running on your cluster.
Labels are key/value pairs that are attached to objects, such as pods. You can use Labels to specify identifying attributes of objects that are meaningful and relevant to users, but do not directly imply semantics to the core system. You can also use Labels to organize and to select subsets of objects. You can attach Labels to objects either at the creation time or later. Each object can have a set of key/value labels defined. Each key must be unique for a given object.
NodePort
). A
ClusterIP
Service, to which the
NodePort
Service routes, is automatically created.
You'll be able to contact the
NodePort
Service, from
outside the cluster, by requesting
<NodeIP>:<NodePort>
.
NodePort
and
ClusterIP
Services, to which the external load
balancer routes, are automatically created.
Labels are key/value pairs that are attached to objects, such as pods. You can use Labels to specify identifying attributes of objects that are meaningful and relevant, but do not directly imply semantics to the core system. You can also use Labels to organize and select subsets of objects. You can attach Labels to objects at creation time and add or modify at any time. Each object can have a set of key/value labels defined. Each key must be unique for a given object.
Dependencies are used to define the order in which tasks must get executed. Perform the following procedure to set up the service dependency.
An application profile provides different combinations of the service, package, and VM while configuring a blueprint. You configure application profiles and use them while launching a blueprint.
[
{
"display": "HTML Tutorial",
"url": "https://www.w3schools.com/html/default.asp"
},
{
"display": "CSS Tutorial",
"url": "https://www.w3schools.com/css/default.asp"
},
{
"display": "JavaScript Tutorial",
"url": "https://www.w3schools.com/js/default.asp"
},
{
"display": "jQuery Tutorial",
"url": "https://www.w3schools.com/jquery/default.asp"
},
{
"display": "SQL Tutorial",
"url": "https://www.w3schools.com/sql/default.asp"
},
{
"display": "PHP Tutorial",
"url": "https://www.w3schools.com/php/default.asp"
},
{
"display": "XML Tutorial",
"url": "https://www.w3schools.com/xml/default.asp"
}
]
Then,
during the launch time the list options are ["HTML Tutorial","CSS
Tutorial","JavaScript Tutorial","jQuery Tutorial","SQL Tutorial","PHP
Tutorial","XML Tutorial"].
Blueprint configuration involves adding tasks, actions, snapshot and restore configurations, and VM update configurations.
Perform the following procedure to configure a blueprint.
Credentials are used to authenticate a user to access various services in Calm. Calm supports static and dynamic credentials with key-based and password-based authentication methods.
You configure a check log-in task to check whether you are able to SSH into the VM you create. Perform the following steps to configure check log-in.
You can either select the public IP address or private IP address of a NIC.
Delay timer defines the time period when the check login script is run after the VM starts. It allows you to configure the delay time to allow guest customization script, IP, and all other services to come up before running the check login script.
Tasks are part of your deployment creation process and are run one after the other. The tasks are used to perform a variety of operations such as setting up your environment, installing a set of software on your service, and so on.
You have the following basic types of tasks.
Pre-create tasks are actions that are performed before a service is provisioned in a blueprint. For example, if you want to assign static IP addresses to your VMs by using IPAM service, you can create and run a pre-create task to receive the IP addresses before the service is provisioned. The pre-create task helps to restrict the broadcast traffic to receive the IP addresses for those VMs during the service provision.
Post-delete tasks are actions that are performed after you delete a service in a blueprint. For example, if you want to delete the assigned IP addresses from your VMs, you can add a post-delete task to delete the IP addresses after the service is deleted. The post-delete task helps to restrict the broadcast traffic to delete the IP addresses for those VMs during the service provision.
You can create the Execute task type to run scripts on the VM.
eScripts
, see Supported eScript Modules and Functions.
For sample
Powershell
scripts, see Sample Powershell Script.
You can create a Set Variable task type to change variables in a blueprint.
Escripts
, see Supported eScript Modules and Functions.
For sample
Powershell
scripts, see Sample Powershell Script.
You can create an HTTP task type to query REST calls from a URL. An HTTP task supports GET, PUT, POST, and DELETE methods.
You can create a Delay task type to set a time interval between two tasks or actions.
Pre-create tasks are actions that are performed before a service is provisioned in a blueprint. Post-delete tasks are actions that are performed after you delete a service in a blueprint.
Actions are flows to accomplish a particular task on your application. You can use actions to automate any process such as backup, upgrade, new user creation, or clean-up and enforce an order of operations across services.
You can categorize actions into the following types.
Type | Description |
---|---|
Profile Actions |
Application Profile Actions are a set of operations that you can run on your
application. For example, when you launch a blueprint, the Create action is run. When
you do not need the application for a period of time, you can run the Stop action to
gracefully stop your application. When you are ready to resume your work, you can run
Start action to bring the application back to the running state.
You have the following types of profile actions.
|
Service Actions |
Service Actions are a set of operations that are run on an individual service.
These actions cannot be run directly by the application user but can be run indirectly
using either a profile actions or a package install or uninstall operation.
Services span application profiles. For example, if you create a service action in the AHV profile, the same service action is available in the AWS profile as well. You have the following types of service actions.
|
The following are the most common custom actions that developers add to their blueprints:
Custom Action | Description |
---|---|
Scale In |
The scale-in functionality enables you to decrease the number of replicas of a
service deployment. The number of instances to be removed from a service for each
scale-in action is defined in the blueprint while configuring the task in the
profile level action.
The scale count number must be less than or equals to the minimum number of replicas defined for the service. The VM that is created last is deleted first. For information on how to configure scale in, see Adding and Configuring Scale Out and Scale In. |
Scale Out |
The scale out functionality enables you to increase the number of replicas of a
service deployment. The number of instances to be added to a service for each
scale-out action is defined in the blueprint while configuring the task in the
profile level action.
The scale count number must be less than or equals to the maximum number of replicas defined for the service. For information on how to configure scale out, see Adding and Configuring Scale Out and Scale In. |
For information about how to create an action, see Adding an Action to a Multi-VM Blueprint and Adding an Action to a Single-VM Blueprint.
An action is a set of operations that you can run on your application that are created as a result of running a blueprint.
An action is a set of operations that you can run on your application that are created as a result of running a blueprint.
Perform the following procedure to add and configure the Scale Out and Scale In task.
The snapshot and restore feature allows you to create a snapshot of a virtual machine at a particular point in time and restore from the snapshot to recreate the application VM from that time. You can configure snapshot and restore for both single-VM and multi-VM applications on a Nutanix platform. All you need to do is to add the snapshot/restore configuration to the blueprint. Adding the configuration generates separate profile actions for snapshot and restore to which you can add further tasks and actions.
For VMware, AWS, and Azure platforms, the snapshot and restore feature is available by default only to the single-VM applications.
For more information on blueprint configuration for snapshots, see Configuring Single-VM Blueprints with Nutanix for Snapshots and Configuring Multi-VM Blueprints on Nutanix for Snapshots.
The snapshot/restore action for single-VM applications with Nutanix is no longer available by default. To enable snapshot, you must add a snapshot/restore configuration to the single-VM blueprint. You can configure to create snapshots locally or on a remote cluster. Snapshot and restore is a paired action in a blueprint and are always managed together.
The snapshot/restore configuration generates separate application profile actions for snapshot and restore. These actions also allow you to add more tasks and actions as part of the snapshot and restore configuration. For example, shutting down the application and the VM before creating the snapshot or restarting the VM before a restore. You can access these actions from the Manage tab of the Applications page.
snapshot-@@{calm_array_index}@@-@@{calm_time}@@
.
You can configure the snapshot/restore action in a blueprint on Nutanix account to create snapshots locally or on a remote cluster. Snapshot/restore is a paired action for a particular service in a blueprint and are always managed together.
The snapshot/restore definition of a service generates snapshot configuration and its corresponding restore configuration. You can use these configurations to modify your snapshot and restore setup.
The snapshot/restore configuration generates separate application profile actions for snapshot and restore. These actions allow you to add more tasks and actions as part of the snapshot and restore configuration. For example, shutting down the application and the VM before creating the snapshot or restarting the VM or services before a restore. You can access these actions from the Manage tab of the Applications page to create or restore snapshots.
snapshot-@@{calm_array_index}@@-@@{calm_time}@@
.
The update configuration feature allows you to update virtual machines of running applications on Nutanix to a higher or lower configuration. Using this feature, you can modify VM specifications such as the vCPU, memory, disks, networking, or categories (tags) of a running application with minimal downtime. You no longer have to create new blueprints or approach your IT administrator to modify VM resources.
To update configurations of a running application VM, you need to perform the following actions:
As a blueprint developer, you can add update configurations for a service in the blueprint. These update configurations are at the parallel level of application profile actions and can be executed individually for a particular service. As part of the configuration, you can do the following:
For example, consider a case where the original vCPU value in the blueprint is 4. You then add a change factor to the update configuration to increase the vCPU by 1 with a maximum limit of 5. When this update is launched, you can run the action only once to increase the vCPU to 5. Once the VM is upgraded to 5 vCPU, you cannot add any more vCPUs to the VM.
The update configuration generates the corresponding action where you can add tasks to define how you want to execute the update.
For more information about adding update configuration to a blueprint, see Adding an Update Configuration to Single-VM Blueprints and Adding an Update Configuration to Multi-VM Blueprints.
You can update VM specifications from the Manage tab of applications on Nutanix. For more information, see Update VM Configurations of Running Applications.
As a blueprint developer, you can add an update configuration to a single-VM application blueprint.
The update configuration feature allows you to update the virtual machine of a running single-VM application to a higher or lower configuration. For more information, see Update Configuration for VM.
As a blueprint developer, you can add an update configuration for a service to a multi-VM application blueprint.
The update configuration feature allows you to update virtual machines of running multi-VM applications to a higher or lower configuration. For more information, see Update Configuration for VM.
After you configure a blueprint, you can publish, unpublish, launch, or delete a blueprint.
Publishing a blueprint allows you to make the blueprint available at Marketplace, so that other users can use the published blueprint. Unpublishing a blueprint allows you to remove the blueprint from the Marketplace. For more information, see Submitting a Blueprint for Approval.
Launching a blueprint allows you to deploy your application on the blueprint and start using it.
The blueprint launch page provides the following views:
Blueprints that are launched from the marketplace display only the fields that require inputs from consumers. Displaying only editable fields offers a simpler and easy launching experience for your consumers.
You can switch to View as Developer after you develop your blueprints to verify how you configured different fields and the launching experience the configuration will provide to your consumers.
For more information, see Launching a Blueprint.
After you configure a blueprint, you can submit the blueprint to get an approval from the administrator. The administrator approves the blueprint and then publishes the blueprint at the marketplace for consumption.
You launch a blueprint to deploy an application on the blueprint and start using the application.
If the validation is successful, the application is available under the Application tab.
When you enter the platform data that is invalid for a provider while creating a blueprint, you get a validation error. The following table details the invalid platform data for each provider.
Providers | Invalid Platform Data |
Nutanix | Image, NIC List, and Categories. |
GCP | Machine Type, Disk Type, Network, SubNetwork, Source, Image, Zone, and Blank Disk. |
AWS | Vpc, Security Groups, and Subnets. |
VMware | Network name, NIC Type, NIC settings mismatch, Host, Template, Datastore, Datacenter, Storage Pod, and cluster. |
Azure | Image details (publisher, offer, sku, version), Custom image, Resource group, Availability Set Id, NIC List, Network Security group, Virtual Network Name, and Subnet Name. |
The platform validation error message appears as displayed in the following image.
You can also upload configured blueprints to the Blueprints tab. Perform the following procedure to upload a blueprint.
You can also download a configured blueprint to your local machine and use it later. Perform the following procedure to download a blueprint.
Perform the following procedure to view a blueprint.
You can edit a configured blueprint from the blueprints tab. Perform the following procedure to edit a blueprint.
Perform the following procedure to delete a blueprint.
If you have configured wrong details in your blueprint, you can view the error message while saving or publishing a blueprint. Perform the following procedure to view blueprint error message.
You can recover the deleted application blueprints within a time period of 90 days after you delete an application blueprint. This chapter describes the procedure to recover a deleted blueprint.
The marketplace provides preconfigured application blueprints and runbooks for instant consumption. The marketplace is a common platform for both publishers and consumers.
The marketplace has banners to display featured applications. All listed applications display the icon of the platform that supports the application.
You can filter applications or runbooks based on their category and source. You can also search an application or runbook in the marketplace.
Before provisioning an application, you can view details such as application overview, changes made in different versions, and application-level actions.
You can view application details such as licensing, installed resources, hardware requirements, operating systems, platforms, and limitations before you provision the application. You can also view the changes made in different versions and application-level actions.
Perform the following procedure to filter application blueprints or runbooks in the marketplace.
Perform the following procedure to search an application blueprint or runbook.
You can use the Marketplace tab to launch an application blueprint that is approved and published to the marketplace. The application launch page displays the fields that are editable by the consumer.
Following are the rules for naming convention.
VM configurations in blueprints and environments are associated with accounts. The environment patching depends on the account that you associate with the marketplace blueprint and the environment you configured.
To patch a cloud provider VM that has a specific OS type, Calm finds the corresponding match in the environment. In case there are no matches available, Calm displays a notification.
The following table lists the environment patching behavior for platform-dependent and platform-independent fields:
Fields | Condition | Patching Behavior |
---|---|---|
Platform-Dependent Fields | When different accounts are associated with the blueprint and environment | Values from the environment get preference for patching, irrespective of the values in the blueprint. |
Platform-Dependent Fields | When the blueprint and the environment have the same account | Values from the environment are patched only when the fields do not have any value in the blueprint. |
Platform-Independent Fields | When different accounts are associated with the blueprint and environment | Values from the environment are patched only when the fields do not have any value in the blueprint. |
Platform-Independent Fields | When the blueprint and the environment have the same account | Values from the environment are patched only when the fields do not have any value in the blueprint. |
The following table lists the platform-dependent fields for different platforms.
Platform | Platform-Dependent Fields |
---|---|
Nutanix | Image, Categories, Cluster, and NIC |
AWS | Machine Image, Key, Instance Profile Name, VPC ID, Subnet ID, and Security Group List |
GCP | Machine Type, Zone, Network, Disk Type, Source Image, and Email |
VMware | Host, Template, Datastore, Cluster, Storage Pod, Network Name, NIC Type, Disk Location, Disk ISO Path, Folder, and Tag List |
Azure | Resource Group, Location, Availability Set ID, Resource Group Details, Resource Group Operation, Network Security Group Name, Network Name, Subnet Name, Network Security Group ID, Virtual Network ID, Subnet ID, Publisher, Offer, SKU, Version, Source Image Type, and Source Image ID |
Assume that you have two Nutanix Prism Central accounts PC1 and PC2, and you added these accounts to your project (Project1). You then create two environments in the project with the following VM configuration:
ENV1 | ENV2 |
---|---|
|
|
You then create a blueprint with a Nutanix service under Project1 having the following configuration:
When you publish this blueprint in the marketplace and launch the blueprint with a different environment, the environment patching happens as follows:
Because different accounts are associated with the blueprint and environment, all platform-dependent field values are patched from the environment to the blueprint, irrespective of the values already available in the blueprint. The blueprint is launched with the following configuration.
Because the account is same for both blueprint and environment and all the platform-dependent fields already have values, the patching does not happen. The blueprint is launched with the following configuration.
Assume that you have a Prism Central account PC1 that is associated with two Prism Elements PE1 and PE2, and you add PC1 to your project (Project1).
Assume that the associated Prism Elements have the following networks.
You then create two environments with the following VM configuration:
ENV1 | ENV2 |
---|---|
|
|
You then create a blueprint with a Nutanix service under Project1 having the following configuration:
When you publish this blueprint in the marketplace and launch the blueprint with a different environment, the environment patching happens as follows:
Prism Element accounts are derived from the NIC or subnet. The PE1_Net2 network used in the blueprint associates the blueprint to Prism Element PE1, and the PE2_Net1 network used in ENV2 associates the environment to Prism Element PE2.
Because these two networks are connected to two
different Prism Element
account_uuid
, Calm considers this case as two
different accounts associated with the blueprint and environment. All platform-dependent
field values are, therefore, patched from the environment to the blueprint, irrespective
of the values already available in the blueprint. The blueprint is launched with the
following configuration.
The PE1_Net2 network used in the blueprint and the PE1_Net1 network used in ENV belong to the same Prism Element account.
Because these two networks share the same Prism Element
account_uuid
, Calm considers this case as the same account associated
with both the blueprint and environment. Platform-dependent fields in this case already
have values, and the patching does not happen. The blueprint is launched with the
following configuration.
Patching of credentials happens only when you publish your blueprints in the marketplace without secrets.
For patching, the credentials of the marketplace blueprint are mapped with the environment using the associated provider account and operating system type. The password or the key value of the corresponding environment is then patched to the blueprint. The credential name and the credential username are never patched from the environment.
For example, if the blueprint and the environment have the following configurations:
Blueprint | Environment |
---|---|
|
|
The credentials patching in the blueprint happens as follows:
When Blueprint is Published with Secrets | When Blueprint is Published without Secrets |
---|---|
|
|
The Cluster field is platform dependent. The environment patching logic of a platform-dependent field depends on the account that you associate with the marketplace item and the VM configuration of the environment.
Condition | Patching Behavior |
---|---|
When the cluster reference in the blueprint and in the environment VM configuration is the same. | No patching happens. The cluster reference from the blueprint is used for the launch. |
When the cluster reference in the blueprint and in the environment VM configuration is different. | Patching happens. The cluster value is patched from the environment for the launch. |
When the cluster reference in the blueprint is a macro.
Note:
Cluster reference
can be a macro only when all the subnets are overlay subnets or all the subnets are
macros.
|
No patching happens. The cluster value will remain as a macro.
When the reference is a macro, it is independent of the environment or the account that is being used for launch. |
VLAN subnets are platform dependent. The environment patching logic of VLAN subnets depends on the cluster reference of the blueprint and the cluster reference of the associated environment VM configuration.
Overlay subnets are VPC dependent. The environment patching logic of these subnets depends on the VPC reference in the blueprint and the VPC reference of the associated environment VM configuration.
All subnets in the substrate of a blueprint can either have overlay subnets or VLAN subnets. If subnets are overlay subnets, then all the subnets in the substrate must belong to the same VPC.
Condition | Patching Behavior |
---|---|
When the VLAN subnets in the blueprint and in the environment VM configuration is the same. | No patching happens. VLAN subnets are platform dependent. The VLAN subnet values referred in the blueprint are used. |
When the VLAN subnets in the blueprint and in the environment VM configuration is different. | Patching happens. VLAN subnets are platform dependent. The VLAN subnet values are patched from the environment. |
When the VPC reference of the subnets (overlay subnets) in the blueprint and the environment VM configuration is the same. |
No patching happens. The subnet values of the blueprint are used for the
launch.
Values from the environment is patched only if it is empty in the blueprint or not allowed in the destination environment. |
When the VPC reference of the subnets (overlay subnets) in the blueprint and the environment VM configuration is different. | Patching happens. The subnet values are patched directly from the environment. |
When the network type in the blueprint and the environment VM configuration are different (for example, overlay subnets in the blueprint and VLAN subnets in the environment). | Patching happens. The subnet values are patched directly from the environment. |
When the subnet reference of the any of the NICs in the blueprint is a macro. | Patching follows the usual conditions. However, the macros are never patched. |
You can execute a runbook an approved and published runbook using the Marketplace tab.
You can clone an application blueprint or runbook from the marketplace.
Use Marketplace Manager to manage the list of custom blueprints, ready-to-use marketplace application blueprints, and runbooks. You can approve, reject, launch, publish, unpublish, assign a category, and select projects for a blueprint. You can also approve, reject, publish, unpublish, and execute runbooks.
The Approved tab on the Marketplace Manager page provide you a list of ready-to-use application blueprints and the custom blueprints or runbooks you approved. The Approval Pending tab provides a list of custom blueprints and runbooks that require your approval to be available in the Marketplace for consumption.
When you select a blueprint or runbook from the list on any tab, the inspector panel displays the operations you can perform on the selected blueprint or runbook. The inspector panel also displays a brief overview of the blueprint or runbook and allows you to assign projects to blueprint or runbook.
You can perform the following actions on blueprints or runbooks.
Marketplace version enables you to define the initial version number of the blueprint or runbook that is getting published to the marketplace. Marketplace version also enables you to revise the version of a blueprint or runbook that is already published to the marketplace. For information about how to define marketplace version, see Submitting a Blueprint for Approval or Submitting a Runbook for Publishing.
You can approve custom blueprints or runbooks that are submitted for approval on the Approval Pending tab. You can also publish the approved blueprints or runbooks to the marketplace after associating them with a project on the Approved tab.
The Approved tab also displays the ready-to-use application blueprints that are available after enabling the Nutanix Marketplace Apps toggle button on the Settings page. These application blueprints do not require approval and can be published directly to the marketplace after associating them with a project. For more information about enabling the ready-to-use applications, see Enabling Nutanix Marketplace Applications.
You can unpublish a blueprint or runbook if you do not want to list it in the Marketplace. You can publish the blueprint or runbook again if required.
You can delete a blueprint or runbook that is not published in the marketplace. If you want to delete a published blueprint or runbook, you first have to unpublish it and then delete it.
You create applications in Calm by creating and launching blueprints.
The Applications page displays the list of all published applications under the Applications tab and the list of brownfield applications under the Brownfield Applications tab.
The Applications page provides the following details about an application.
You have the following application-level actions.
You cannot perform the Create action after the blueprint is launched and the application is created. You can perform all other application-level actions according to the application state.
You can also perform advanced application actions such as creating or restoring snapshots, updating VM configuration, or cloning an application. See the Advanced Application Actions chapter in this guide for details.
The applications page displays the state of the application based on the actions you perform on the Manage tab.
Application State | Description |
---|---|
Provisioning | When you start an application. |
Running | When the application is deployed and running after the provisioning state. |
Stopping | When you have initiated an operation to stop the application. |
Stopped | When the application is stopped. |
Restarting | When you have initiated an operation to restart the application after the application is stopped. |
Deleting | When you have initiated an operation to delete the application. |
Deleted | When the application is deleted. |
Busy | When you have installed the NGT services on the VMs of an application. |
Updating | When you are editing an application. |
Error | When the application goes to error state due to any action you have performed in the Manage tab. |
Failover-in-progress | When you have initiated a failover operation on Prism Central for the protected VMs of an application. |
Failover-failed |
When the failover operation for the VMs has failed. The failure state mainly
occurs in the following conditions.
|
You can click an application name to get details about the application as shown in the following figure.
The application page consists of the following tabs.
The Overview tab consists of the following panels.
Panel | Description |
---|---|
Application Description | Displays the application description. |
Variables | Displays the variable list used to create the blueprint. You can click the copy icon next to the variable to copy the variable. |
Cost Summary |
Displays the total cost, current cost for each hour, and the cost incurred in a
month for the resources that are running in the blueprint. The cost summary panel also
displays a graphical representation of the incurred cost.
Note:
The
Cost
Summary
panel is applicable for Nutanix and VMware
providers.
|
App Summary |
Displays the following application details.
|
App Status |
Displays the summary of virtual machines (VMs). The panel displays the number of
VMs that are in the following state.
|
VM info |
Displays the following VM details of the application.
|
The Manage tab lists the system-generated and user-created actions that you can perform on the application. When you click any of the listed actions, the editor displays the action dependencies.
You can perform the following system-generated actions on an application.
Nutanix guest tools (NGT) is a software bundle that you can install in a guest virtual machine (Microsoft Windows or Linux) to enable the advanced functionalities provided by Nutanix. For more information on NGT, see the Nutanix Guest Tool section in the Prism Web Console Guide .
The inspector panel also displays the action you perform on an application. To view the detailed course of the action, click Action .
The Metrics tab allows you to view performance metrics of the VM. The Metrics tab displays a section on the left with a list of metrics.
The following table describes the available metrics.
Metric | Description |
---|---|
CPU usage | Displays the percentage of CPU capacity currently the VM is using (0–100%). |
CPU ready Time | Displays the current, high, and low percentage of CPU ready time (0–100%). |
Memory usage | Displays the percentage of memory capacity currently the VM is using (0–100%). |
I/O Bandwidth | Displays separate graphs for total, write (only), and read (only) I/O bandwidth used per second (Mbps or KBps) for physical disk requests by the VM. |
I/O Latency | Displays separate graphs for total, write, and read average I/O latency (in milliseconds) for physical disk requests by the VM. |
IOPS | Displays separate graphs for total, write, and read I/O operations per second (IOPS) for the VM. |
Usage | Displays separate graphs for current, snapshot, and shared storage usage (in GiBs) by the VM. |
Working set size | Displays separate graphs for total, write, and read storage usage (in GiBs) for the VM working set size. |
Network packets dropped | Displays separate graphs for the number of transmitted and received packets dropped. |
Network bytes | Displays separate graphs for the amount of transmitted and received bytes (in GiBs). |
The Recovery Points tab allows you to view the captured snapshots, restore applications from snapshots, and delete the snapshots for an application.
The Recovery Points tab applies only to single VM blueprints running with Nutanix as the provider.
To create snapshots of the single-VM or multi-VM applications that are running on Nutanix platform, use the snapshot action on the Manage tab of the application.
Fields | Description |
---|---|
Name | Displays the name of the snapshots. |
Creation Time | Displays the date and time of the snapshot creation. |
Location | Displays the location where the snapshot was taken. |
Expiration Time | Displays the expiration time of the snapshot. |
Recovery Point Type | Displays whether the snapshot type is application-consistent or crash-consistent. |
The Snapshot tab allows you to view the captured snapshots, restore applications from snapshots, and delete the snapshots for an application. Use this tab to create snapshots of single-VM applications that are running on VMware or Azure.
Fields | Description |
---|---|
ID | Displays the ID of the snapshots. Snapshot IDs are unique and automatically generated when you take a snapshot. |
Name | Displays the name of the snapshot. |
Description | Displays the description of the snapshot. |
Parent | Displays the parent blueprint application from which the snapshot is taken. |
Creation Time | Displays the date and time when the snapshot is taken. |
The AMIs tab allows you to view the captured snapshots, restore applications from snapshots, and delete the snapshots for an application.
Fields | Description |
---|---|
ID | Displays the ID of the snapshots. Snapshot IDs are unique and automatically generated when you take a snapshot. |
Name | Displays the name of the snapshot. |
Description | Displays the description of the snapshot. |
Creation Time | Displays the date and time when the snapshot is taken. |
Perform the following procedure to run shell commands on a web SSH console for a service.
The Audit tab lists the action or actions that are performed on an application as displayed in the following figure. To view the detailed course of the action, click action.
You can retry a failed application action from the last failed task in case the action does not fail due to system error.
Brownfield applications are created to manage existing VMs that are currently not managed by Calm. To create a brownfield application, Calm must communicate with the VMs that are not managed by Calm. After the application is created, the application runs like any other Calm application.
The following are the key points you must consider before you create a brownfield application.
In Calm, the update configuration is stored as a single element per service and applicable from the first VM instance. When you select multiple VMs with different configurations in a service and update the configuration, the update configuration applies to the first VM instance. The same configuration is then followed for all the remaining VM instances.
Let’s say you selected VM1 and VM2 for the service with a RAM of 4 GB and 8 GB respectively. If you define the update configuration to increase the RAM by 1 GB and run the action, the update applies to VM1 to increase the RAM to 5 GB. The same configuration is then followed for VM2 to change the RAM from 8 GB to 5 GB causing undesirable results in both the update configuration and quota utilization checks.
For information on how to create a brownfield application, see Creating Brownfield Application.
Brownfield applications are created to manage existing VMs that are currently not managed by Calm. Perform the following procedure to create brownfield application.
You must launch the configured brownfield applications to be managed by Calm.
Nutanix Guest Tools (NGT) is a software bundle that you can install in a guest
virtual machine (Microsoft Windows or Linux) to enable the advanced functionality provided
by Nutanix. For more information about NGT, see the
Prism Central
Guide
. Perform the following procedure to install NGT services on your
VM. NGT services are only applicable for AHV clusters.
After you install NGT service on a VM, you can either enable or disable VSS and SSR
services by using the
Manage NGT Apps
play button. To know more VSS
and SSR services, see the
Nutanix Guest Tools
section in the
Prism Web Console Guide
.
If you do not want to recover application details after the host VM becomes unavailable, uninstall the NGT application. Perform the following procedure to uninstall NGT services for your application.
A snapshot preserves the state and data of an application virtual machine at a specific point in time. You can create a snapshot of a virtual machine at a particular point in time and restore from the snapshot to recreate the application from that time.
On a Nutanix platform, you can use the snapshot and restore feature in both single-VM and multi-VM applications. On VMware, AWS, and Azure platforms, you can use the snapshot and restore feature only in a single-VM application.
While the snapshot and restore feature is available by default for VMware, AWS, and Azure platforms, you need to add the snapshot/restore configuration to the single-VM or multi-VM blueprint on Nutanix. Adding the configuration to the blueprint generates separate profile actions for snapshot and restore. For more information, see Configuring Single-VM Blueprints with Nutanix for Snapshots and Configuring Multi-VM Blueprints on Nutanix for Snapshots.
Snapshot and restore of an application VM that runs on a Nutanix platform involves the following configurations and actions:
As a project admin, you define snapshot policies in a project. Snapshot policies help you define rules for taking snapshots of application VM. The policy determines the overall intent of the snapshot creation process and the duration of managing those snapshots. You can configure your snapshot policy to manage your snapshots on a local cluster, on a remote cluster, or both.
Remote snapshots are particularly useful when your Prism Central has a computer-intensive cluster managing workloads and a storage-intensive cluster managing your data, snapshots, and so on.
For more information about creating a snapshot policy, see Creating a Snapshot Policy.
You define snapshot and restore configuration for each service in a blueprint. You can configure the service to create snapshots locally or on a remote cluster. In case your multi-VM blueprint has multiple replicas of the service, you can configure the action to take snapshot only for the first replica or the entire replica set.
The snapshot/restore definition of a service generates the snapshot configuration and its corresponding restore configuration. You can use these configurations to modify your snapshot and restore setup. The snapshot/restore definition also generates application profile actions that you can use to create or restore snapshots. You can add more tasks and actions as part of your snapshot and restore to define actions you might want to take on your services. For example, shutting down the application and the VM before taking the snapshot or restarting the VM or services before a restore.
For more information on snapshot and restore configuration, see Blueprint Configuration for Snapshots and Restore.
You associate a policy defined in a project when you launch the application. Depending on the snapshot configuration that you provide in the blueprint, you can select the policy and the cluster in which the snapshot will be stored.
If you defined remote snapshot in the blueprint, then you can view all the policies that allow you to take a remote snapshot. You can select a policy and the corresponding clusters before you launch the application.
For more information, see Launching a Blueprint.
Like other profile actions, the profile actions for snapshot and restore appear on the Manage tab of an application. The snapshots created are listed under the Recovery Points tab of the application. When you create multiple snapshots as part of one action, they appear as a snapshot group. You can expand the group to view the snapshots, their corresponding services, and location. For more information, see Creating Snapshots on a Nutanix Platform.
Restore follows the same configuration that the snapshot has. To restore, you specify the variables and select applicable recovery points depending on the VM. For more information, see Restoring VM Details from Snapshots on a Nutanix Platform.
Perform the following procedure to create application-consistent or crash-consistent snapshots. Application-consistent or crash-consistent snapshots are used to capture and recover all of the VM and application level details. Application-consistent snapshots can also capture all data stored in the memory and transactions in process.
snapshot-@@{calm_array_index}@@-@@{calm_time}@@
.
Nutanix Guest
Tools
section in the
Prism Web
Console Guide
.
You can restore the VM details of an application after the host VM becomes unavailable. Perform the following procedure to restore an application from the snapshots.
A snapshot preserves the state and data of a virtual machine at a specific point in
time. You can create a snapshot of a virtual machine at any time and revert to that snapshot
to recreate the application from that time. For more information, see the
VMware Documentation
. Perform the following procedure
to create a snapshot.
You can restore the VM details of an application after the host VM becomes unavailable. Perform the following procedure to restore an application VM details from a snapshot.
You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved. For more information, see AWS Documentation . Perform the following procedure to create a snapshot on a AWS platform.
You can restore the VM details of an application after the host VM becomes unavailable. Perform the following procedure to restore an application VM details from a snapshot. Ensure that you have captured the snapshots for the application VM.
Creating a snapshot of an application virtual machine on the Azure platform creates a point-in-time copy of your operating system and data disks associated with the VM. The snapshots you create can then be used to create a new VM with the same configurations as the source application VM.
You can restore the VM details of an application after the host VM becomes unavailable. The VM snapshot that you create on an Azure platform consists of the snapshot of operating system and data disks. When you restore the VM details, a new VM is created using the snapshots of the disks.
Perform the following procedure to delete the snapshots created for the VM under an application.
The update configuration feature allows you to update the virtual machine of a running application to a higher or lower configuration. Using this feature, you can modify VM specifications such as the vCPU, memory, disks, networking, or categories (tags) of a running production application with minimal downtime.
The process to update VM configuration of a running application on Nutanix is different from other providers.
To update configurations of a running single-VM or multi-VM applications on Nutanix, you need to perform the following steps:
For more information, see Update Configuration for VM.
You can update VM specifications from the Manage tab of the application. While launching the update, you can define the variables, verify the updates defined for the service by looking at the original value and updated value. You can also modify the values if the component is editable. You can also check the cost difference at the top of the page before applying the changes. For more information, see Updating the VM Configuration of an Application on Nutanix.
The option to update VM configuration of a running single-VM application on VMware, AWS, or Azure is available by default on the Overview tab of the application. The attributes that you can update depends on the provider account you selected for the application.
You can run the update configuration to modify the VM specifications, such as the vCPU, memory, disks, networking, or categories of a single-VM or multi-VM application.
You can click the delete icon to remove the existing disk.
You can click the delete icon to remove any new disk if your blueprint developer has enabled it in the application blueprint.
You can run the update configuration to modify parameters, such as VM configurations, controllers, disks, and network adapters of a single-VM application running on a VMware platform.
You can run the update configuration to modify parameters, such as instance type, IAM role, security groups, tags, and storage of a single-VM application running on an AWS platform.
You can run the update configuration to modify parameters, such as VM configurations, controllers, disks, or network adapters of a single-VM application running on an AWS platform.
You can add or update the credential, custom actions, post delete tasks, or package uninstall tasks from the Overview tab of a single-VM application.
An image is a template for creating new instance or VM. Calm allows you to create images from an existing single-VM or multi-VM application running on a Nutanix platform. Perform the following procedure to create an image from an existing application.
Perform the following procedure to clone an application. The cloned application has the same VM configuration as the source application from which it is cloned.
You can delete the unwanted applications from the Applications tab.
You can define and create custom or user-level actions while configuring a blueprint. Perform the following procedure to run the user-level actions.
System-level actions are pre-defined actions that you can run on an application. Perform the following procedure to execute the system-level actions.
Scheduler allows you to schedule application action and runbook executions. You can schedule recurring jobs and one-time jobs for critical operations throughout the application life cycle.
You can schedule any user-defined application actions, create or restore application snapshots (only AHV), or any pre-defined system actions such as Start, Stop, Restart, Delete, and Soft Delete. For example, you can schedule a Stop action and a Start action on a single-VM Calm application to run at a particular date and time.
Scheduler supports two types of entities.
Scheduler jobs have a role ownership. A user can modify the job that you created if the user has access to the entity and Allow Collaboration is enabled in the associated project. For example, if you create a scheduler job for an application action as a developer, a consumer that has access to the same application can modify the job. If Allow Collaboration is disabled in the project, then only the creator of the scheduler job can modify the job. For information on the role required to schedule application action and runbook execution, see Role-Based Access Control in Calm.
Create a scheduler job to perform an application action or runbook execution.
You can view or update a scheduler job on the Scheduler tab of the Policies page.
Scheduler jobs have a role ownership. You can update a job that a different user has created only when you have access to the entity and collaboration is allowed in the associated project.
You can also click View Logs for any executed job to go to the Audit tab and view the logs.
You can delete a scheduler job on the Scheduler tab of the Policies page.
An approval policy adds a level of governance to determine which application deployment requests or actions require approvals before they are initiated. You can use approval policies to manage your infrastructure resources, their associated costs, and compliance more effectively.
For example, consider a marketplace item that consumes a significant part of your available resources. You can use an approval policy to enable your IT administrator to review all deployment requests for that marketplace item and ensure that all requests are justified.
You can also use approval policies to enable a project administrator to review all the changes that are done as part of orchestration to a critical application instance.
As a Prism Central Admin or Project Admin, you can create approval policies for runbook executions, application launch, and application day-2 operations (system-defined or user-defined actions).
Each approval policy is a defined set of conditions that you apply to specific entities in Calm. An approval request is generated when an associated event meets all the conditions defined in the policy.
You can configure approval policies for specific events with different set of conditions. For example, to configure an approval policy for a marketplace item, you can use the following values:
The following table lists the different conditions that you can define for different events in approval policies. To search for a provider-specific attribute, type the provider name in the Attribute field.
Entity Type and Action | Provider | Attribute | Operator |
---|---|---|---|
Entity Type: Runbook Action: Execute |
All | Runbook Name | Equals, Contains, Like |
Task Name | Equals, Contains, Like | ||
Endpoint Name | Equals, Contains, Like | ||
Entity Type: Application Action: Launch |
All | Substrate Type | Equals, Contains, Like |
Blueprint Name | Equals, Contains, Like | ||
Application Name | Equals, Contains, Like | ||
Application Profile Name | Equals, Contains, Like | ||
Estimated Application Profile Cost | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
Account Name | Equals, Contains, Like | ||
VM Name | Equals, Contains, Like | ||
Service Name | Equals, Contains, Like | ||
App Replicas Count | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
OS Type | Equals, Contains, Like | ||
Azure Specific Attributes | Azure Tag | Equals, Contains, Like | |
Azure Location | Equals, Contains, Like | ||
Azure Instance Name | Equals, Contains, Like | ||
Azure Resource Group | Equals, Contains, Like | ||
Azure Availability Zone | Equals, Contains, Like | ||
Azure Availability Set | Equals, Contains, Like | ||
Azure Hardware Profile | Equals, Contains, Like | ||
Azure Data Disk Name | Equals, Contains, Like | ||
Azure Data Disk Type | Equals, Contains, Like | ||
Azure Data Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
Azure Network Profile Subnet | Equals, Contains, Like | ||
Azure Network Profile NIC Name | Equals, Contains, Like | ||
Azure Network Profile Virtual Network | Equals, Contains, Like | ||
Azure Network Profile Network Security Group | Equals, Contains, Like | ||
VMware Specific Attributes | VMware Instance Name | Equals, Contains, Like | |
VMware Datastore Cluster | Equals, Contains, Like | ||
VMware Datastore | Equals, Contains, Like | ||
VMware Cluster | Equals, Contains, Like | ||
VMware Host | Equals, Contains, Like | ||
VMware Sockets | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
VMware Cores Per Socket | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
VMware Memory | Equals, Contains, Like | ||
VMware Adapter Type | Equals, Contains, Like | ||
VMware Network | Equals, Contains, Like | ||
VMware Disk Type | Equals, Contains, Like | ||
VMware Tag | Equals, Contains, Like | ||
VMware Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
VMware Template Name | Equals, Contains, Like | ||
AHV Specific Attributes | AHV vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | |
AHV Cores Per vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Memory | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Category | Equals, Contains, Like | ||
AHV VPC Name | Equals, Contains, Like | ||
AHV vLAN Name | Equals, Contains, Like | ||
AHV Disk Type | Equals, Contains, Like | ||
AHV Disk Image Name | Equals, Contains, Like | ||
AHV Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Boot Configuration Type | Equals, Contains, Like | ||
AWS Specific Attributes | AWS Instance Type | Equals, Contains, Like | |
AWS Region | Equals, Contains, Like | ||
AWS Tag | Equals, Contains, Like | ||
AWS Root Volume Type | Equals, Contains, Like | ||
AWS Data Volume Type | Equals, Contains, Like | ||
AWS Root Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AWS Data Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AWS IAM Role | Equals, Contains, Like | ||
AWS VPC ID | Equals, Contains, Like | ||
AWS Security Group ID | Equals, Contains, Like | ||
AWS Subnet ID | Equals, Contains, Like | ||
AWS Machine Image ID | Equals, Contains, Like | ||
GCP Specific Attributes | GCP Instance Name | Equals, Contains, Like | |
GCP Machine Type | Equals, Contains, Like | ||
GCP Zone | Equals, Contains, Like | ||
GCP Boot Disk Storage Type | Equals, Contains, Like | ||
GCP Boot Disk Source Image | Equals, Contains, Like | ||
GCP Labels | Equals, Contains, Like | ||
Entity Type: Application Action: Day 2 Operation |
All | Application Name | Equals, Contains, Like |
Application Profile Cost | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
App Replicas Count | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
Action Name | Equals, Contains, Like | ||
AHV Specific Attributes (for Update Config Only) | AHV vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | |
AHV Cores Per vCPU | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Memory | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV Category | Equals, Contains, Like | ||
AHV vLAN Name | Equals, Contains, Like | ||
AHV VPC Name | Equals, Contains, Like | ||
AHV Device Type | Equals, Contains, Like | ||
AHV Disk Size | Equals, Less than, Greater than, Greater than or Equals, Less than or Equals | ||
AHV (for Snapshots) | AHV Snapshot Location | Equals, Contains, Like | |
AHV Snapshot Replica | Equals, Contains, Like | ||
AHV Snapshot Name | Equals, Contains, Like |
Day 2 operations are combination of multiple actions. Ensure that you use the supported attributes for different day 2 operations to enforce the policy appropriately. For example, when you configure a policy with scale in or scale out task, the supported attributes can be App Replicas Count and Application Profile Cost.
The following table provides the day 2 operation with the supported attributes.
Day 2 Operation | Supported Attributes |
---|---|
AHV Update Config | Estimated Application Profile Cost, AHV vCPU, AHV Cores Per vCPU, AHV Memory, AHV Category, AHV VPC Name, AHV vLAN Name, AHV Disk Size, and AHV Device Type |
Scale-in or Scale-out task | App Replicas Count and Application Profile Cost |
AHV Snapshot Config | AHV Snapshot Name, AHV Snapshot Replica, and AHV Snapshot Location |
Supported Attributes for All Day 2 Operations | Application Name and Action Name |
For system actions, you must specify the name in the action_<system action> format. The following table lists the system action names supported for approval policies.
System Action | Names |
---|---|
Start | action_start |
Restart | action_restart |
Stop | action_stop |
Delete | action_delete |
Soft Delete | action_soft_delete |
Snapshot Create | action_snapshot_create |
Restore | action_restore |
Update | action_update |
To quickly create a new policy, you can clone an existing policy and edit its basic information, conditions, and approvers.
You cannot clone an approval policy that is in the Draft state.
You can enable a policy to enforce the policy on an event that matches the entity, action, and conditions of the policy or disable the policy to skip policy enforcement.
As a Prism Central Administrator or Project Administrator, you can delete an approval policy if the policy is no longer required for the event.
After you have created a policy, you can view the details of the policy on the policy details page.
An an approver, you can view a list of all pending approval policies on the Approval Requests tab and can either approve or reject the request with a reason.
When you approve a request, the event moves to the next task. When you reject a request, the requester is notified about the rejection of the request. If you are the requester, you can view your pending requests and the status of your reviewed request on the My Requests tab.
Library allows you to save user-defined tasks (scripts) and variables that you can use persistently for other application blueprints. You do not have to define the same tasks and variables for each blueprint.
You can also share tasks and variables listed as part of library across different projects. You can also customise an existing task or variable.
The Library tab lists all the published user-defined tasks and the created variable types to be used across multiple blueprints.
You create custom variable types for added flexibility and utility. Beyond just string and integer data types, you can create more data types such as Date/Time, list, and multi-line string. You can define list values as a static list of values or can attach a script (eScript or HTTP task) to retrieve the values dynamically at runtime.
While creating a custom variable type, you associate a project to the variable type. You can also share the variable type with multiple other projects using the "Share" option on the same page.
Create variable types so that you can use the variables during blueprint creation. You can also share the created variable types across multiple projects.
You can create tasks while configuring a blueprint and publish these tasks to the library. Calm allows you to import these published tasks while configuring other blueprints across multiple projects.
To refer to the video about task library, click here.
Add tasks to a project so that you can use the tasks while configuring blueprints for the selected project.
Delete unwanted tasks from the Library. The deleted tasks can no longer be used in any project while configuring a blueprint.
A runbook is a framework to automate routine tasks and procedures that pan across multiple applications without the involvement of a blueprint or an application.
A runbook is a collection of tasks that you can define to run sequentially at different endpoints. For more information about endpoints, see Endpoints Overview.
You can define the following types of tasks in a runbook.
Task | Description |
---|---|
Execute | To run Shell, PowerShell, and eScript (custom python) scripts. |
Set Variable | To run a script and create variables. |
Delay | To set a delay interval between two tasks or actions. |
HTTP | To perform REST calls to an HTTP endpoint. |
While Loop | To iterate over multiple tasks until the defined condition is met. |
Decision | To define different flows or paths based on the exit condition. |
VM Power On | To power on the VMs that are present in the VM endpoint type. |
VM Power Off | To power off the VMs present in the VM endpoint type. |
VM Restart | To restart the VMs present in the VM endpoint type. |
For more information about creating a runbook, see Creating a Runbook.
To share an active runbook across different projects, you can submit the runbook to be published as a Marketplace item. When the runbook is available at the marketplace, members from different projects to which the runbook is assigned can view and execute it.
When you submit a runbook for publishing, your administrator approves and publishes the runbook at the Marketplace. While publishing, your administrator selects the projects that can view and execute the runbook. You can publish runbooks with or without endpoints and with or without secret values (credential passwords or keys and secret variables). For more information, see Submitting a Runbook for Publishing.
You can select endpoints with virtual machines as the target type to execute power operation tasks such as power off, power on, or restart. Executing these tasks on Virtual machines is particularly helpful in cases where you need to run a set of scripts on multiple VMs and then restart the VMs. For example, when you want to upgrade a software on your VMs. For more information about creating an endpoint, see Creating an Endpoint.
You cannot modify the runbook after it is published. You can either execute the runbook or clone the runbook within your project from the marketplace.
A runbook is a collection of tasks that you can define to run sequentially at different endpoints.
Calm uses the default endpoint only when you do not configure any endpoint at the task level.
The task is further subdivided into True and False condition. You must repeat the steps to add the tasks and configure the task type.
Create a runbook with the Execute task to run Shell, PowerShell, and eScript (custom python) scripts. Create a runbook with the Set Variable task to run a script and create variables.
Create a runbook with the Delay task to set a delay interval between two tasks or actions.
Create a runbook with the HTTP task to perform REST calls to an HTTP endpoint.
Create a runbook with the While Loop task to iterate over multiple tasks until the defined condition is met.
Submit a runbook for publishing so that your admin can approve and publish it at the marketplace. Members from the associated projects can view and execute the runbooks that are published at the marketplace.
You can execute a runbook to run the tasks sequentially on an endpoint.
Perform the following procedure to delete a runbook.
Endpoints are the target resources where the tasks defined in a runbook or blueprint are run.
The endpoints are collection of IP addresses or VMs. The collection of VMs can be a static selection or can be dynamic with filter rules applied.
You have the following types of endpoints.
To know how to create an endpoint, see Creating an Endpoint.
For Windows or Linux endpoint type, you can select virtual machines as the target type. Selecting VMs as target type is useful in cases where you run a set of scripts on multiple VMs and then restart the VMs. For example, you can select VMs as target type to upgrade a software on your VMs.
After you select VMs as the target type, you must select the provider account to list all the associated VMs. You can filter the list of VMs. You can either select the VMs manually or enable the option to automatically select the filtered VMs for your endpoint.
Create an endpoint to run the tasks that you define in a runbook or blueprint.
Perform the following procedure to delete a endpoint.
You can take a backup of the Calm data to a specified location on your machine and restore the data to a new Prism Central. You back up the following data:
You can take a backup of the entire Calm data to a specified location on your machine.
To know how to back up Calm data on an IAMV2-enabled setup, see Backing up Calm Data in an IAMV2-Enabled Setup.
docker exec -it nucalm bash
calmdata
binary is available in the
/home/calm/bin
folder.
# cd /home/calm/bin
# ./calmdata backup --dump-folder <folder>
calmdata
tar file dump.
docker cp <nucalm_container_id>:<backup_tar_file_path> <PC_path_to_copy>
docker cp f4af4798e47d:/backup/3.5.2_backup.tar /home/nutanix/local_backup/
scp
command to copy the calmdata backup tar file from
the Prism Central file system to the new Prism Central.
docker cp <back_up_tar_file_path> <nucalm_container_id>:<restore_path_dump_folder>
You can take a backup of the entire Calm data to a specified location on your machine.
docker exec -it nucalm bash
calmdata
binary is available in the
/home/calm/bin
folder.
# cd /home/calm/bin
# ./calmdata backup --dump-folder <folder>
calmdata
tar file dump.
sudo kubectl -s 0.0.0.0:8070 -n ntnx-base get pods
cd ~/cluster/bin/
vi backup_iam.sh
backup_iam.sh
file.
sh backup_iam.sh
/usr/local/nutanix/iam-backup
.
docker cp <nucalm_container_id>:<backup_tar_file_path> <PC_path_to_copy>
docker cp f4af4798e47d:/backup/3.5.2_backup.tar /home/nutanix/local_backup/
scp
command to copy the calmdata backup tar file from
the Prism Central file system to the new Prism Central.
scp
command to copy the IAM backup zipped file from
the Prism Central file system to the following location on the new Prism
Central.
/usr/local/nutanix/iam-backup
docker cp <back_up_tar_file_path> <nucalm_container_id>:<restore_path_dump_folder>
You can restore the Calm data to a new Prism Central using a backup you took earlier.
For more information about backing up the Calm data, see Backing up Calm Data.
# ./calmdata restore --dump-folder <folder>
docker exec -ti nucalm bash
activate;
code ;
python scripts/update_policy_vm_host_data.pyc
sudo systemctl stop policy-container
sudo systemctl stop policy-epsilon-container
sudo systemctl stop chronos-container
docker rm -f policy
docker rm -f policy-epsilon
docker rm -f chronos
sudo systemctl start policy-container
sudo systemctl start policy-epsilon-container
sudo systemctl start chronos-container
cd ~/cluster/bin/
vi restore_iam_from_file.sh
restore_iam_from_file.sh
file.
sh restore_iam_from_file.sh
Use the following flag options for your Calm data backup:
Options | Description |
---|---|
dump-folder |
The folder where you want to place the backup data. The default folder is located
at
/tmp/default
.
Note:
Create this folder before taking the
backup. When you restore, the restore binary must be present at this
location.
Example:
|
max-threads |
The maximum number of threads to use to take the backup. The default value is
5.
Example:
|
fetch-limit |
The maximum number of entries to fetch in batches of 100 per call. The default
and the maximum value is 100. Decreasing the value of
fetch-limit
increases the time taken to back up Calm
data.
Example:
|
idf-timeout |
The timeout for IDF (database). Increase the value of IDF timeout if you
encounter backup failure due to timeout. The default value is
60.
Example:
|
backup-deleted-entities |
The flag to include deleted entities in the backup. The backup does not include
deleted entities when the value is False. The default value is
True.
Example:
|
When you enable the policy engine for your Calm instance, Calm creates and deploys a new VM for the policy engine in your Prism Central network. After the policy engine VM deployment, you can anytime create a backup of your policy engine database. You can use the backup to restore the policy engine to the earlier state on your existing policy engine VM or on a new policy engine VM.
You must run the backup and restore commands from your Prism Central instance.
ssh nutanix@<policy_vm_ip>
/home/nutanix/scripts/backup.sh
<policy_vm_ip>
is the IP address of the policy
engine VM.
/home/nutanix/data/backups/
.
scp
command and then to the new policy
engine VM.
ssh nutanix@<policy_vm_ip> /home/nutanix/scripts/restore.sh
–-list
ssh nutanix@<policy_vm_ip> /home/nutanix/scripts/restore.sh
-f=<backup_name>
<policy_vm_ip>
is the IP address of the policy
engine VM and
<backup_name>
is the local backup file
available on the policy engine VM.
Calm task library public repository contains scripts for installing and uninstalling different services. To access the repository, click here.
The following sections provide the sample scripts of Cloud-init and SysPrep to configure the static IP address range for non-managed AHV network.
#cloud-config
cloud_config_modules:
- resolv_conf
- runcmd
write_files:
- path: /etc/sysconfig/network-scripts/ifcfg-eth0
content: |
IPADDR=10.136.103.226
NETMASK=255.255.255.0
GATEWAY=10.136.103.1
BOOTPROTO=none
ONBOOT=yes
DEVICE=eth0
runcmd:
- [ifdown, eth0]
- [ifup, eth0]
manage_resolv_conf: true
resolv_conf:
nameservers: ['8.8.4.4', '8.8.8.8']
searchdomains:
- foo.example.com
- bar.example.com
domain: example.com
options:
rotate: true
timeout: 1
<?xml version="1.0" encoding="UTF-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<ComputerName>Windows2016</ComputerName>
<RegisteredOrganization>Nutanix</RegisteredOrganization>
<RegisteredOwner>Acropolis</RegisteredOwner>
<TimeZone>UTC</TimeZone>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<Identification>
<Credentials>
<Domain>contoso.com</Domain>
<Password>secret</Password>
<Username>Administrator</Username>
</Credentials>
<JoinDomain>contoso.com</JoinDomain>
<UnsecureJoin>false</UnsecureJoin>
</Identification>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-TCPIP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<Interfaces>
<Interface wcm:action="add">
<Identifier>Ethernet</Identifier>
<Ipv4Settings>
<DhcpEnabled>false</DhcpEnabled>
<RouterDiscoveryEnabled>true</RouterDiscoveryEnabled>
<Metric>30</Metric>
</Ipv4Settings>
<UnicastIpAddresses>
<IpAddress wcm:action="add" wcm:keyValue="1">10.0.0.2/24</IpAddress>
</UnicastIpAddresses>
<Routes>
<Route wcm:action="add">
<Identifier>10</Identifier>
<Metric>20</Metric>
<NextHopAddress>10.0.0.1</NextHopAddress>
<Prefix>0.0.0.0/0</Prefix>
</Route>
</Routes>
</Interface>
</Interfaces>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-DNS-Client" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<UseDomainNameDevolution>true</UseDomainNameDevolution>
<DNSDomain>contoso.com</DNSDomain>
<Interfaces>
<Interface wcm:action="add">
<Identifier>Ethernet</Identifier>
<DNSDomain>contoso.com</DNSDomain>
<DNSServerSearchOrder>
<IpAddress wcm:action="add" wcm:keyValue="1">10.0.0.254</IpAddress>
</DNSServerSearchOrder>
<EnableAdapterDomainNameRegistration>true</EnableAdapterDomainNameRegistration>
<DisableDynamicUpdate>true</DisableDynamicUpdate>
</Interface>
</Interfaces>
</component>
<component xmlns="" name="Microsoft-Windows-TerminalServices-LocalSessionManager" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<fDenyTSConnections>false</fDenyTSConnections>
</component>
<component xmlns="" name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<UserAuthentication>0</UserAuthentication>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Networking-MPSSVC-Svc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<FirewallGroups>
<FirewallGroup wcm:action="add" wcm:keyValue="RemoteDesktop">
<Active>true</Active>
<Profile>all</Profile>
<Group>@FirewallAPI.dll,-28752</Group>
</FirewallGroup>
</FirewallGroups>
</component>
</settings>
<settings pass="oobeSystem">
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<UserAccounts>
<AdministratorPassword>
<Value>secret</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
</UserAccounts>
<AutoLogon>
<Password>
<Value>secret</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
<Username>Administrator</Username>
</AutoLogon>
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c netsh firewall add portopening TCP 5985 "Port 5985"</CommandLine>
<Description>Win RM port open</Description>
<Order>1</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
</FirstLogonCommands>
<OOBE>
<HideEULAPage>true</HideEULAPage>
<SkipMachineOOBE>true</SkipMachineOOBE>
</OOBE>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<InputLocale>en-US</InputLocale>
<SystemLocale>en-US</SystemLocale>
<UILanguageFallback>en-us</UILanguageFallback>
<UILanguage>en-US</UILanguage>
<UserLocale>en-US</UserLocale>
</component>
</settings>
</unattend>
Calm supports the following eScript modules.
Module | Module supported as |
---|---|
datetime | _datetime |
re | re |
difflib | difflib |
base64 | base64 |
pprint | pprint |
pformat | pformat |
simplejson | json |
ujson | ujson |
yaml | yaml |
Uuid | uuid |
requests | requests |
boto3 | boto3 |
azure | azure |
googleapiclient | |
kubernetes | kubernetes |
The following example displays the usage of the boto3 module.
import boto3
ec2 = boto3.client('ec2', aws_access_key_id='{}', aws_secret_access_key='{}', region_name='us-east-1')
print ec2.describe_regions()
The following example displays the usage of the Azure module.
# subscription_id macro contains your Azure Subscription ID
# client_id macro contains your Client ID
# tenant macro contains you Tenant ID
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
credentials = ServicePrincipalCredentials(
client_id=@@{client_id}@@,
secret='secret',
tenant=@@{tenant}@@
)
client = ResourceManagementClient(credentials, @@{subscription_id}@@)
for item in client.resource_groups.list():
print(item)
The following example displays the usage of the GCP module.
from google.oauth2 import service_account
gcp_project = '@@{cred_gcp.username}@@'
gcp_secret = @@{cred_gcp.secret}@@ # JSON keyfile - Use SSH Key credential to paste JSON keyfile
gcp_zone = '@@{gcp_zone_id}@@' # Not required for every service
# Authentication
credentials = service_account.Credentials.from_service_account_info(gcp_secret)
# Create client - compute API https://cloud.google.com/compute/docs/reference/rest/v1
from googleapiclient import discovery
client = discovery.build('compute', 'v1', credentials=credentials)
The following example displays the usage of the Kubernetes module.
from kubernetes import client as k8client
aToken="eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJl
cm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWN
jb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNl
YWNjb3VudC9zZWNyZXQubmFtZSI6InNhcmF0aC10b2tlbi1ubWo1cSIsImt1YmVybm
V0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJzYXJhdG
giLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQ
iOiIzODM1Zjk5MC0zZGJhLTExZWEtODgwNy01MDZiOGQzYjFhYjIiLCJzdWIiOiJzeXN0ZW06c2Vyd
mljZWFjY291bnQ6ZGVmYXVsdDpzYXJhdGgifQ.dLJCdlOGktRsXfxDItBdbYxDYJtnFS9pptQaKr
JS1QfWAiT93l_iPExZZ_7JGQ2t7glpe-DNEwfjKiqUkDKmuHZSxN9fV6PHjTc8CGOn1q4LV7
tFFkh4HNi-JjhLPkRRQUM6_y5qQSrx9asDEGVLGsoHjuMLhELi4Ghq1EOgcRxPCTQD6lq_C203Dap
PESdqPl7JsmIVBCkFUT4A8A4sseiOqq9ogX-QKvAwoI7yq97BMJLX7q868cNBRsbFzct1tS-CEx-RCPM95
qAzdLNUOrIszVVgSd7jLxIg_tqUH_yEj4T0cePsbLhrCBPRt6bHFCyg3RkIKRoIN2YBq0wPWw"
configuration=k8client.Configuration()
configuration.host="https://10.46.4.213:6443"
configuration.verify_ssl=False
configuration.debug=True
configuration.api_key={"authorization":"Bearer "+ aToken}
k8client.Configuration.set_default(configuration)
v1=k8client.CoreV1Api()
nodes=v1.list_node(watch=False)
print nodes.items[0].metadata.name
Calm supports the following eScript functions.
The API exposes REST interface as a set of objects. This action is implemented using python requests module.
urlreq(url, verb='GET', auth=None, c=None, user=None, passwd=None, params=None,
headers=None, timeout=None, send_form_encoded_data=True, allow_redirects=True,
cookies=None, verify=True, proxies=None)
requests.Response object is returned.
Arguments | Description |
---|---|
url | string, url to request |
verb |
string, verb is GET by default. POST, HEAD, PUT, PATCH, and DELETE are other valid entries. |
auth |
string (optional), BASIC and DIGEST are the valid entries.
For authentication purposes, the order is as follows.
|
user | string (optional), username used for authentication. |
passwd | string (optional), password used for authentication. |
params | dict (optional), if verb is GET, HEAD or DELETE, parameters are sent in the query string for the request otherwise they are sent in the body of the request. |
headers | dict (optional), Dictionary of HTTP headers needs to be send along with the request. |
timeout | integer (optional), you can configure requests to stop waiting for a response after a given number of seconds with the timeout parameter. timeout only elects the connection process itself, not the downloading of the response body. |
send_form_encoded_data | boolean (optional), = True by default. If False, parameters dict is first dumped using simplejson.dumps() and then passed as a string. |
allow_redirects |
boolean (optional), = True by default. Specifies whether redirects should be allowed or not. |
cookies | dict (optional), cookies dict to be sent along with the request. |
verify | boolean (optional), = True by default. Specifies whether SSL certificates should be verified or not. |
proxies | dict (optional), Dictionary mapping protocol to the URL of the proxy |
Rules for authentication in the order of priority.
If the above two criteria does not match, username and password are authenticated by using the credential attached to the task.
For example
params = {'limit': 1}
headers = {'content-type': 'application/octet-stream'}
r = urlreq(url, verb="GET", auth="BASIC", c='somecred', params=params, headers=headers)
r = urlreq(url, verb="POST", auth="BASIC", user="user", passwd="pass", params=params)
The exit function is an alias for sys.exit of python standard library.
exit(exitcode)
For example
exit(0)
The sleep function is an alias for time.sleep.
sleep(num_of_secs)
For example
sleep(10)
The _construct_random_password API generates a random password and returns it.
_construct_random_password(lower, upper=None, numCaps=0, numLetters=0,
numDigits=0, numPuncs=0, startwith=None, caps=None, letters=None,
digits=None, puncs=None)
Returns: String
Argument | Description |
---|---|
lower | integer, minimum number of characters in the password. |
upper | integer (optional), maximum number of characters in the password. If upper is not defined, then the password returned will always be as per lower, else the length can vary between lower and upper (both included). |
numCaps |
integer (optional), minimum number of capital letters that must be there in password. |
numLetters |
integer (optional), minimum number of letters that must be there in password. |
numDigits | integer (optional), minimum number of digits that must be there in password. |
numPuncs |
integer (optional), minimum number of punctuation alphabets that must be there in password. |
startwith |
string (optional), password returned starts with one of the characters provided in startwith string. |
caps | string (optional), default = 'A-Z'. This can be overridden. |
letters | string (optional), default = 'a-zA-Z'. This can be overridden. |
digits | string (optional), default = '0-9'. This can be overridden. |
puncs | string (optional), default = '!@#$%^&'. This can be overridden. |
The _is_bad_password function checks whether the password is correct or not.
_is_bad_password(password, reserved, dictionary=True, numCaps=0, numPuncs=0, \
numDigits=0, minLen=5)
For example
_is_bad_password("Abcd@123")
The _randomchoose function is used to get a random character from a string.
_randomchoose(string)
For example
_randomchoose("adsadrer")
The _shuffle function is used to shuffle the sequence.
_shuffle(sequence)
For example
_shuffle(a)
The get_sql_handle function enables you to remotely connect and manage SQL Servers. It is implemented by using python pymssql module.
get_sql_handle(server, username, password, database='', timeout=0, login_timeout=60, charset='UTF-8', as_dict=False, host='', appname=None, port='1433', conn_properties=None, autocommit=False, tds_version=None)
Returns pymssql.Connection object
Argument | Description |
---|---|
server (str) | database host |
user (str) | database user to connect as |
password (str) |
user’s password |
database (str) |
The database to initialize the connection with. By default SQL Server selects the database which is set as default for specific user |
timeout (int) | query timeout in seconds, default 0 (no timeout) |
login_timeout (int) | timeout for connection and login in seconds, default is 60 seconds |
charset (str) | character set with which to connect to the database |
For example
username="dbuser"
password="myP@ssworD"
server="10.10.10.10"
port="1433"
cnxn = get_sql_handle(server, username, password, port=port, autocommit=True)
cursor = cnxn.cursor()
# List all databases
cursor.execute("""
SELECT Name from sys.Databases;
""")
for row in cursor:
print row[0]
cnxn.close()
To refer to the video about supported eScripts, click here.
The following script is an EScript sample script.
#script
account_name = "@@{ACCOUNT_NAME}@@"
aviatrix_ip = "@@{address}@@"
new_test_password = "@@{NEW_TEST_PASSWORD}@@"
vpc_name = "Test"
api_url = 'https://{0}/v1/api'.format(aviatrix_ip)
#print api_url
def setconfig(api_url, payload):
r = urlreq(api_url, verb='POST', auth="BASIC", user='admin', passwd='passwd', params=payload, verify=False)
resp = json.loads(r.content)
if resp['return']:
return resp
else:
print "Post request failed", r.content
exit(1)
print "Get the session ID for making API operations"
payload = {'action': 'login', 'username': 'admin', 'password': new_test_password}
api_url1 = api_url + "?action=login&username=admin&password="+ new_aviatrix_password
cid = setconfig(api_url=api_url1, payload=payload)
cid = cid['CID']
print cid
print "Delete the gateway"
payload = {'CID': cid,
'action': 'delete_container',
'account_name': account_name,
'cloud_type': 1,
'gw_name': vpc_name
}
api_url1 = api_url + "?CID="+cid+"&action=delete_container&account_name="+account_name+"&cloud_type=1&gw_name="+vpc_name
print setconfig(api_url=api_url1,payload=payload)
print "Delete the aws account"
payload = {'CID': cid,
'action': 'delete_account_profile',
'account_name': account_name
}
api_url1 = api_url + "?CID="+cid+"&action=delete_account_profile&account_name="+account_name
print setconfig(api_url=api_url1,payload=payload)
The following script is a jwt usage sample script.
#script
jwt = '@@{calm_jwt}@@'
payload = {}
api_url = 'https://localhost:9440/api/nutanix/v3/apps/list'
headers = {'Content-Type': 'application/json', 'Accept':'application/json', 'Authorization': 'Bearer {}'.format(jwt)}
r = urlreq(api_url, verb='POST', params=json.dumps(payload), headers=headers, verify=False)
if r.ok:
resp = json.loads(r.content)
print resp
exit(0)
else:
print "Post request failed", r.content
exit(1)
The following script is a powershell sample script.
Install-PackageProvider -Name NuGet -Force
Install-Module DockerMsftProvider -Force
Install-Package Docker -ProviderName DockerMsftProvider -Force
The following script is a guest customization sample script for the Azure service.
<AutoLogon>
<Password>
<Value>@@{user.secret}@@</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
<Username>@@{user.username}@@</Username>
</AutoLogon>
The following script is a guest customization sample script for the Azure service.
<FirstLogonCommands>
<SynchronousCommand>
<CommandLine>cmd.exe /c powershell -Command get-host</CommandLine>
<Order>1</Order>
</SynchronousCommand>
</FirstLogonCommands>
The following script is a guest customization sample script for the VMware service.
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set winrm/config/service/auth @{Basic="true"}
powershell -Command "enable-psremoting -Force"
powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"
The following script is a guest customization sample script for the GCP service.
#! /bin/bash\napt-get update\napt-get install -y apache2\ncat <<EOF > /var/www/html/index.html\n<html><body><h1>Hello World</h1>\n<p>This page was created from a simple startup script!</p>\n</body></html>\nEOF
Calm blueprints public repository contains custom blueprints and custom scripts that are created and published by community members. Calm also publishes official blueprints and tasks to the github public repository. You can clone the published blueprints and scripts and use from the repository. To access the repository, click here .
The blueprints repository of Calm contains script that can be seeded into task library and published to projects. You can use these tasks for blueprint configuration.
bash generate_task_library_items.sh
export PC_IP=<prism central IP>
export PC_USER=<prism central user>
export PC_PASSWORD=<prism central password>
export PC_PROJECT=<prism central project>
python generate_task_library.py --pc $PC_IP--user $PC_USER --password $PC_PASSWORD --project $PC_PROJECT --script <path of script>
Calm license for Prism Central enables you to manage VMs that are provisioned or managed by Calm. Nutanix provides a free trial period of 60 days to try out Calm.
The Prism web console and Nutanix Support portal provide the most current information about
your licenses. For detailed information about the Calm licensing feature, refer to the
Prism Central Guide
.
Upgrade Calm or Epsilon using the Life Cycle Manager (LCM) from Prism Central. Epsilon is the orchestration engine for Calm. For more information , see Life Cycle Manager.
Use LCM to display the software and firmware versions of the entities in the cluster.
Use LCM to upgrade Calm and Epsilon to the latest available versions.
If you do not select any specific updates, the LCM performs all available updates.
By default, LCM automatically fetches updates from a pre-configured URL. If LCM fails to access the configured URL to fetch updates, you can configure the LCM to fetch updates locally to upgrade Calm and Epsilon.
Perform the following procedure to upgrade Calm and Epsilon at a dark site.
The LCM sidebar now shows the LCM framework with the updated version.
Refer to this section to upgrade Calm to the latest available version after you deploy the Calm VM.
Use the following procedure to upgrade Calm and Epsilon from Calm VM 3.5.2 to 3.6.
genesis stop nucalm epsilon
nucalm.tar.xz
from the Downloads location.
epsilon.tar.xz
from the Downloads location.
cluster start
To upgrade Calm VM using the PC method, do the following:
Check if the compatible PC version is available. If not, go to the Name Servers page and enter the global DNS server as the Name server.
A confirmation window appears.
Click Yes to start the download process. After the download gets completed, you can view the Upgrade list.
During the upgrade process, the Calm VM gets restarted.
Also, you can log in to the Calm VM GUI to view the upgraded version. In the top-left corner, click User Menu > About Nutanix .
You can upgrade to newer versions of Calm without performing a VM upgrade. Upgrades to most minor releases and few major releases are done using the LCM method.
To upgrade Calm VM using the LCM method, do the following:
A confirmation window appears.
Note that the Epsilon check-box also gets selected. Epsilon is the orchestration engine used by Calm.
A confirmation window appears.
By default, Life Cycle Manager (LCM) automatically fetches updates from a pre-configured URL. If LCM fails to access the configured URL to fetch updates, you can configure the LCM to fetch updates locally to upgrade Calm and Epsilon. Perform the following procedure to upgrade Calm and Epsilon at a dark site.
The LCM sidebar now shows the LCM framework with the same version as the LCM dark site bundle you downloaded.
The Credential Security Support Provider (CredSSP) protocol is a security support provider that you implement using the Security Support Provider Interface (SSPI). CredSSP allows an application to delegate credentials of a user from the client to the target server for remote authentication. CredSSP provides an encrypted transport layer security protocol channel. The client is authenticated over the encrypted channel by using the Simple and Protected Negotiate (SPNEGO) protocol with either Microsoft Kerberos or Microsoft NTLM.
For more information, refer to the Microsoft Documentation .
Perform the following procedure to enable CredSSP.
> Enable-WSManCredSSP -Role Server -Force
Perform the following procedure to generate an SSH key pair on a Linux VM.
$ ssh-keygen -t rsa
Perform the following procedure to generate an SSH key pair on Windows.
Integrated Linux based PowerShell gateway is an in-built microservice of Calm that you can use to run Windows PowerShell scripts. You do not have to install any Windows VM separately or install Karan service manually to run the PowerShell scripts in Calm. Perform the following task to run the PowerShell scripts in Calm.
> Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools
> Enable-WSManCredSSP -Role Server -Force
> Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools
You might encounter the following errors when you run the PowerShell scripts using the integrated Linux based PowerShell gateway.
Error | Description |
---|---|
Access denied |
If the VM and the WinRM services are started but the specified credential is wrong. You encounter the error in the following cases.
|
Connection refused |
You encounter the connection refusal error in the following cases.
|
Nutanix localizes the user interface in simplified Chinese and Japanese. All the static
screens are translated to the selected language. You can change the language settings of the
cluster from English (default) to simplified Chinese or Japanese. For information on how to
change the language setting, refer to the
Prism Central
Guide
.