Dependency Map FAQ
Frequently Asked Questions on Deploying and Configuring Dependency Maps
Q. What is the new Dependency Map Feature?
The Dependency Map combines infrastructure relationships (between VMs, clusters, and datacenters) with logical relationships between application components, enabling a clear understanding of the ways applications and systems depend upon each other in your environment. These dependencies show the scope of resources that need to move or workloads impacted if a workload is changed. These observations are critical when planning which workloads may have egress data costs in the cloud or which applications have complex dependencies when planning an upgrade or outage. The new CloudPhysics Dependency Map presents data from an optional elevated data collection process from the CloudPhysics Observer. This data will represent the relationship between VMs and other network resources based on observed processes and communications from within a Guest OS. This data will consist of Processes or process IDs, local IP Addresses, local ports, protocols, and remote IP Addresses. If an IP address can be associated with a known VM, the known VM name will be presented. Remote objects can be known or unknown objects within the organization or potential destinations outside of the organization.
Q. How do I gain access to the Dependency Map?
Dependency Maps are available to premium customers who have deployed the latest CloudPhysics Observer, provided the necessary credentials for data collection, and added the revised vCenter credentials for data collection.
Credentials for Guest Process Collection:
Credentials for vCenter:
Q. How do I start getting data into the dependency map analytics and how do I see my data?
To get started, you will need to ensure you have the latest CloudPhysics Observer and have provided additional credentials for guest process discovery in the appliance. In addition, you will need to ensure you have revised your vCenter credentials for process data collection within the Guest OS. VMware Tools will be required in a Guest OS where data is to be collected.
Once the Observer and credentials are updated, data will start collecting within the next collection cycle and refresh approx once every 6 hours.
Credentials for vCenter:
Q. How do I know if I have the most recent CloudPhysics Observer?
CloudPhysics introduced the Dependency Map data collection features as options in the Observer v2.5.1 release and newer. To find which version you are running, start by looking at the CloudPhysics Observer version reported on the Observer Console Page. Here you will find the current version deployed in your environment. To find the most recent Observer versions, you can download the current Observer OVF (approx. 7k) and view the “Current Version” in the XML file. It never hurts to update your current observer with a new download of the appliance to ensure your appliance is current.
Q. How do I update my CloudPhysics Observer?
You can replace your CloudPhysics observer with the latest observer available from CloudPhysics. Simply download and redeploy the new observer. An organization token will be required to activate the observer. An organizational token is available from the CloudPhysics Welcome Page for new users or from the CloudPhysics Observer status page. Click “Reveal Token” in the left-hand instructions to receive your token. Tokens are valid for 24 hours and can be used with multiple vCenters within the Organization. Be sure to provide the same vCenter name and credentials. CloudPhysics will resume the collection of your data.
Deploying the CloudPhysics Observer:
Observer Status Page for Organization Token:
Q. What credentials do I need to provide the CloudPhysics observer?
Two different sets of credentials are required. The first set of credentials allows the observer to read data from VMware vCenter. A second credential will be required to collect guest process data and dependency data from guest operating systems. In many cases, these may be two different credentials.
Q. Do I need to change my vCenter?
If you have never set up your account for process collection before, you will need to revise your vCenter credentials. If you plan to use Dependency Discovery or Guest Process Identification, additional VMware vCenter Policy settings will be required. This is an elevated level of Virtual Machine security to allow VMware tools to gather guest data. These features will require the VMware Tools to be present and enabled in the guest operating system.
Q. What credentials are required for my vCenter user account used by the CloudPhysics Observer?
For the Server, Username, and Password, provide a Fully Qualified Domain NAme IP Address for the VMware vCenter. Example: Vcenter.company.local Note, This may be pre-populated from the PSC selection above.
For the vCenter Credentials, provide a user ID and password. Note, Windows-style credentials may be required in the “domain\user” format.
Q. What specific configurations are required within the Guest OS?
Since CloudPhysics is agentless, we rely on VMware Tools and some environmental attributes of the Guest OS to ensure we can collect data. VMware Tools are required to request guest data. The process collects data to a TEMP file located in the system temp folder. If the system does not have a TEMP variable or TEMP folder available, the collection process will not have the ability to create the intermediate field required for data collection. Using temp files eliminates the need to keep all data in memory.
Q. What can I do if I get a “Working directory is not available” error message?
The working directory issue occurs when there is no working TEMP folder in the system path for the current users. When VMware Tools issues a command with the defined users, it directs the command output to a TEMP file in the user’s local temp folder. It may be that a user who has never logged into a Guest OS does not have a HOME directory created by the login scripts. A normal login script usually created a temp directory for a user something like %home%/%user%/temp. The Environment variables typically are the same temp=%home%/%USER%/temp. If the user has never logged in, this temp location has not been created for the user who we use to issue commands in the Guest OS through VMware Tools. The solution is to either use an account that has connected to the guest in the past (a common service account or local user used to set up the OS), or a Domain Admin account that has connected in the past. In some cases, it may be necessary to define the temp environment variable and create a temp folder through a script for VMs in the environment.
Q. Can I use Microsoft Windows Domain credentials?
Yes, a Domain credential can be used. CloudPhysics currently uses a single user ID and password pair for all guest OS. Assuming all guest OS are on the same domain, a single domain user credential can be used.
Q. What credentials can I use for Linux?
If the organization has a single administrator ID and password, a single credential across both Windows and Linux can be used. If your environment is only Linux, a single login ID and password is required. If your environment is mixed, a common user ID and password would be required.
Q. What if I have multiple domains or different credentials for differing operating systems or locations?
At the current time, the CloudPhysics Observer is only able to use a single credential. If you have a different credential in a different domain or location, you will be unable to collect data from both environments unless you have a common login and password.
Q. What data is collected?
Here are the data points collected from within the Guest OS with the elevated guest credentials.
- Running Guest Processes
- Installed Applications (Windows Only)
- Open network communications by process or process ID
Q. How is data collected?
The CloudPhysics Observer requests the following details from VMware vCenter to collect using VMware Tools. CloudPhysics will issue a command to the
Q. How frequent is data collected? How often is the data refreshed in the Map?
Data is collected once every 6 hours. Every six hours the collection runs; any new dependencies discovered are added to the existing map. After 7 days, old dependencies that are no longer in the current map are deleted.
Q. The CloudPhysics Dependency Map says I do not have data for a specific VM, why?
This can be one of the multiple reasons. In most cases, when viewing a VM in the Data TAble View, you will find an amber flag in the corner near the VM name. This flag will provide some assistance as to why we were unable to collect data from a VM.
Most common reasons:
- Invalid guest credentials
- Insufficient privileges in vCenter
- VMware tools not current or up to date in guest OS
- VMware tools not installed
- Guest credentials have insufficient privileges to collect data
- An internal error within the Guest OS
Q. I see VM’s and other workloads not controlled by my vCenter, how did they appear in my results?
These are destinations observed through the communications of a VM in your data collection. We can see both internal and external communications for a VM and many of these may not be managed by your VMware environment. Common resources such as load balancers, network file servers and physical arrays used for NFS/iSCSI, user desktops, and public internet communications can appear as discovered targets of a VM.
Q. How do I select multiple VMs in the map view?
Use the SHIFT KEY and left click with your mouse to select a single VM. Repeat as necessary to select additional VMs.
Q. What do the shapes mean in your diagrams?
The Dependency Graph objects are:
- Circles depict nodes that represent VMs in your filtered VM result set
- Triangles depict nodes that represent VMs that are not in your filtered scope but connected to VMs in your filtered scope
- Diamonds depict nodes representing non-VMs on your network. These can be user desktops, standalone systems, or network devices
- Pentagons depict nodes representing public non-VMs. These may be external to your organization or located within a public network segment such as a DMZ
- Filled shapes indicate that all edges are displayed
- Half-filled shapes indicate that some edges are hidden
Q. How do I find a specific port?
Using the compass filters on the left-hand side of the page, scroll down to Ports. Specify a specific port you are looking for in the environment. The result set will reduce the scope only to VMs using the specific port.
Q. After updating the Guest OS credentials in the Observer, how long does it take for the Dependency Map to populate in the UI?
There are two sides to this: data collection and data processing:
- If the Guest Credentials are set up during the initial Observer config, the DepMap collection kicks off right away
- If the user adds guest credentials to an already-running observer there is a 2-minute delay
- If there is a collection failure, there is a five-minute timeout and then it tries again.
Data Processing timeline:
- Once dependency data is collected, it takes around 15 minutes to be processed and made available in the UI
Q. Is it ok if the customer provides us with the Guest OS credentials of a ‘service account’? Or do we need that account to have admin access?
A local user or service account can be used for guest data collection. In some cases, the guest account may not be able to see processes that are not controlled by the user account. If you wish to include all processes within the Guest OS, use an account that has privileges to see all processes.
Q. What is the granularity of the dependency mapping? Meaning if a connection lasts for 1 second, will see it?
Most guest operating systems keep a brief history of process connections, ports, and PIDs. If the process ends, the Process ID (PID) may no longer be present but the connection history may still be collected.
Q. What if my user credentials expire?
If a user credential expires, it will be flagged with an Amber flag near the VM in the data table view indicating an error has occurred as well as the state of the collection. If credentials are expired, the amber flag will denote this error.
Q. If a user removes Guest OS credentials, what happens after 7 days, will dependency mapping be blank? Or do we just keep the latest collection?
CloudPhysics keeps the last 7 days of data collection visible in the dependency map. If you stop collecting data, the last collections will remain.
Q. Do I need to update my VMware Tools? Is there a particular version of Tools that VMs should be on?
CloudPhysics will require VMware Tools to request data from a Guest OS. The minimum version for VMware Tools is version 10 released in 2016.