A VMware vSphere environment includes many components to deliver business-critical workloads and services. However, there is a feature of today’s modern VMware vSphere infrastructure that is arguably underutilized – the VMware Content Library. Nevertheless, it can be a powerful tool that helps businesses standardize the workflow using files, templates, ISO images, vApps, scripts, and other resources to deploy and manage virtual machines. So how can organizations manage resources across sites with the VMware Content Library?
What is the VMware Content Library?
Most VI admins will agree with multiple vCenter Servers in the mix, managing files, ISOs, templates, vApps, and other resources can be challenging. For example, have you ever been working on one cluster and realized you didn’t have the ISO image copied to a local datastore that is accessible, and you had to “sneakernet” the ISO where you could mount and install it? What about virtual machine templates? What if you want to have the virtual machine templates in one vCenter Server environment available to another vCenter Server environment?
The VMware Content Library is a solution introduced in vSphere 6.0 that allows customers to keep their virtual machine resources synchronized in one place and prevent the need for manual updates to multiple templates and copying these across between vCenter Servers. Instead, administrators can create a centralized repository using the VMware Content Library from which resources can be updated, shared, and synchronized between environments.
Using the VMware Content Library, you essentially create a container that can house all of the important resources used in your environment, including VM-specific objects like templates and other files like ISO image files, text files, and other file types.
The VMware Content Library stores the content as a “library item.” Each VMware Content Library can contain many different file types and multiple files. VMware gives the example of the OVF file that you can upload to your VMware Content Library. As you know, the OVF file is a bundle of multiple files. However, when you upload the OVF template, you will see a single library entry.
VMware has added some excellent new features to the VMware Content Library features in the past few releases. These include the ability to add OVF security policies to a content library. The new OVF security policy was added in vSphere 7.0 Update 3. It allows implementing strict validation for deploying and updating content library items and synchronizing templates. One thing you can do is make sure a trusted certificate signs the templates. To do this, you can deploy a signing certificate for your OVFs from a trusted CA to your content library.
Another recent addition to the VMware Content Library functionality introduced in vSphere 6.7 Update 1 is uploading a VM template type directly to the VMware Content Library. Previously, VM templates were converted to an OVF template type. Now, you can work directly with virtual machine templates in the VMware Content Library.
VMware Content Library types
VMware Content Library enables managing resources across sites using two different types of content libraries. These include the following:
- Local Content Library – A local content library is a VMware Content Library used to store and manage content residing in a single vCenter Server environment. Suppose you work in a single vCenter Server environment and want to have various resources available across all your ESXi hosts to deploy VMs, vAPPs, install from ISO files, etc. In that case, the local content library allows doing that. With the local content library, you can choose to Publish the local content library. When you publish the Content Library, you are making it available to be subscribed to or synchronized.
- Subscribed Content Library – The other type of Content Library is the subscribed content library. When you add a subscribed VMware Content Library type, you are essentially downloading published items from a VMware Content Library type that has published items as mentioned in the Local Content Library section. In this configuration, you are only a consumer of the VMware Content Library that someone else has published. It means when creating the Content Library, the publish option was configured. You can’t add templates and other items to the subscribed VMware Content Library type as you can only synchronize the content of the subscribed Content Library with the content of the published Content Library.
- With a subscribed library, you can choose to download all the contents of the published Content Library immediately once the subscribed Content Library is created. You can also choose to download only the metadata for items in the published Content Library and download the entire contents of the items you need. You can think of this as a “files on-demand” type feature that only downloads the resources when these are required.
Below is an example of the screen when configuring a content library that allows creating either a Local Content Library or the Subscribed Content Library:
Choosing the content library type
Create a local or subscription Content Library in vSphere 7
Creating a new VMware Content Library is a relatively straightforward and intuitive process you can accomplish in the vSphere Client. Let’s step through the process to create a new VMware Content Library. We will use the vSphere Web Client to manage and configure the Content Library Settings.
Using the vSphere Web Client to manage the Content Library
First, click the upper left-hand “hamburger” menu in the vSphere Client. You will see the option Content Libraries directly underneath the Inventory menu when you click the menu.
Choosing the Content Libraries option to create a manage Content Libraries
Under the Content Libraries screen, you can Create new Content Libraries.
Creating a new Content Library in the vSphere Client
It will launch the New Content Library wizard. In the Name and Location screen, name the new VMware Content Library.
New Content Library name and location
On the Configure content library step, you configure the content library type, including configuring a local content library or a subscribed content library. Under the configuration for Local content library, you can Enable publishing. If publishing is enabled, you can also enable authentication.
Configuring the Content Library type
When you configure publishing and authentication, you can configure a password on the content library.
Step 3 is the Apply security policy step. It allows applying the OVF default policy to protect and enforce strict validation while importing and synchronizing OVF library items.
Choosing to apply the OVF default policy
The VMware Content Library needs to have a storage location that will provide the storage for the content library itself. First, select the datastore you want to use for storing your content library. The beauty of the content library is that it essentially publishes and shares the items in the content library itself, even though they may be housed on a particular datastore.
Select the storage to use for storing items in the VMware Content Library
Finally, we are ready to complete the creation of the Content Library. Click Finish.
Finishing the creation of the VMware Content Library
Once the VMware Content Library is created, you can see the details of the library, including the Publication section showing the Subscription URL.
Viewing the settings of a newly created VMware Content Library
As a note. If you click the Edit Settings hyperlink under the Publication settings pane, you can go in and edit the settings of the Content Library, including the publishing options, authentication, changing the authentication password, and applying a security policy.
Editing the settings of a VMware Content Library
Creating a subscribed VMware Content Library
As we mentioned earlier, configuring a subscribed content library means synchronizing items from a published content library. In the New Content Library configuration wizard, you choose the Subscribed content library option to synchronize with a published content library. Then, enter the subscription URL for the published content library when selected. As shown above, this URL is found in the settings of the published content library.
You will need to also place a check in the Enable authentication setting if the published content library was set up with authentication. Then, enter the password configured for the published content library. Also, note the configuration for downloading content. As detailed earlier, you can choose to synchronize items immediately, meaning the entire content library will be fully downloaded. Or, you can select when needed, which acts as a “files on demand” configuration that only downloads the resources when needed.
Configuring the subscribed content library
Choose the storage for the subscribed Content Library.
Add storage for the subscribed VMware Content Library
Ready to complete adding a new subscribed VMware Content Library. Click Finish.
Ready to complete adding a subscribed VMware Content Library
Interestingly, you can add a subscribed VMware Content Library that is subscribed to the same published VMware Content Library on the same vCenter Server.
Published and subscribed content library on the same vCenter Server
What is Check-In/Check-Out?
A new feature included with VMware vSphere 7 is versioning with the VMware Content Library. So often, with virtual machine templates, these are frequently changed, updated, and configured. As a result, it can be easy to lose track of the changes made, the user making the modifications, and track the changes efficiently.
Now, VMware vSphere 7 provides visibility into the changes made to virtual machine templates with a new check-in/check-out process. This change embraces DevOps workflows with a way for IT admins to check in and check out virtual machine templates in and out of the Content Library.
Before the new check-in/check-out feature, VI admins might use a process similar to the following to change a virtual machine template:
- Convert a virtual machine template to a virtual machine
- Place a snapshot on the converted template to machine VM
- Make whatever changes are needed to the VM
- Power the VM off and convert it back to a template
- Re-upload the VM template back to the Content Library
- Delete the old template
- Internally notify other VI admins of the changes
Now, VI admins can use a new capability in vSphere 7.0 and higher to make changes to virtual machine templates more seamlessly and track those changes effectively.
Clone as template to Library
The first step is to house the virtual machine template in the Content Library. Right-click an existing virtual machine to use the new functionality and select Clone as Template to Library.
Clone as Template to Library functionality to use the check-in and check-out feature
As a note, if you see the Clone to Library functionality instead of Clone as Template to Library, it means you have not converted the VM template to a virtual machine. If you right-click a VM template, you only get the Clone to Library option. If you select Clone to Template, it only allows cloning the template in a traditional way to another template on a datastore.
Right-clicking and cloning a VM template only gives the option to Clone to Library
Continuing with the Clone to Library process, you will see the Clone to Template in Library dialog box open. Select either New template or Update the existing template.
Clone to Template in Library
In the vCenter Server tasks, you will see the process begin to Upload files to a Library and Transfer files.
Uploading a virtual machine template to the Content Library
When you right-click a virtual machine and not a virtual machine template, you will see the additional option of Clone as Template to Library.
Clone as Template to Library
It then brings up a more verbose wizard for the Clone Virtual Machine To Template process. The first screen is the Basic information where you define the Template type (can be OVF or VM Template), the name of the template, notes, and select a folder for the template.
Configuring basic information for the clone virtual machine to template process
On the Location page, you select the VMware Content Library you want to use to house the virtual machine template.
Select the VMware Content Library to house the virtual machine template
Select a compute resource to house your cloned VM template.
Select the compute resource for the virtual machine template
Select the storage for the virtual machine template.
Select storage to house the VM template
Finish the Clone Virtual Machine to Template process.
Finish the clone of the virtual machine to template in the VMware Content Library
If you navigate to the Content Library, you will see the template listed under the VM Templates in the Content Library.
Viewing the VM template in the Content Library
Checking templates in and out
If you select the radio button next to the VM template, the Check Out VM From This Template button will appear to the right.
Launching the Check out VM from this template
When you click the button, it will launch the Check out VM from VM Template wizard. First, name the new virtual machine that will be created in the check-out process.
Starting the Check out VM from VM template
Select the compute resource to house the checked-out virtual machine.
Selecting a compute resource
Review and finish the Check out VM from VM template process. You can select to power on VM after check out.
Review and Finish the Check out VM from VM Template
The checked-out virtual machine will clone from the existing template in the Content Library. Also, you will see an audit trail of the check-outs from the Content Library. You are directed to Navigate to the checked-out VM to make updates. Note you then have the button available to Check In VM to Template.
Virtual machine template is checked out and deployed as a virtual machine in inventory
If you navigate to the Inventory view in the vSphere Client, you will see the machine has a tiny blue dot in the lower left-hand corner of the virtual machine icon.
Viewing the checked-out VM template as a virtual machine in vSphere inventory
After making one small change, such as changing the virtual network the virtual machine is connected to, we see the option appear to Check In VM to Template.
Check In VM to Template
It will bring up the Check In VM dialog box, allowing you to enter notes and then click the Check In button.
Check In the VM
We see the audit trail of changes reflected in the Content Library with the notes we entered in the Check in notes.
Virtual machine template checked back in with the notes entered in the check-in process
You will also see a new Versioning tab displayed when you view the virtual machine template in the inventory view.
Viewing the versioning of a virtual machine template in the inventory view
VMware Content Library Roles
There are various privileges related to Content Library privileges. VMware documents the following privileges that can be assigned to a custom VMware Content Library Role.
Privilege Name | Description | Required On |
Content library.Add library item | Allows addition of items in a library. | Library |
Content library.Add root certificate to trust store | Allows addition of root certificates to the Trusted Root Certificates Store. | vCenter Server |
Content library.Check in a template | Allows checking in of templates. | Library |
Content library.Check out a template | Allows checking out of templates. | Library |
Content library.Create a subscription for a published library | Allows creation of a library subscription. | Library |
Content library.Create local library | Allows creation of local libraries on the specified vCenter Server system. | vCenter Server |
Content library.Create or delete a Harbor registry | Allows creation or deletion of the VMware Tanzu Harbor Registry service. | vCenter Server for creation. Registry for deletion. |
Content library.Create subscribed library | Allows creation of subscribed libraries. | vCenter Server |
Content library.Create, delete or purge a Harbor registry project | Allows creation, deletion, or purging of VMware Tanzu Harbor Registry projects. | Registry |
Content library.Delete library item | Allows deletion of library items. | Library. Set this permission to propagate to all library items. |
Content library.Delete local library | Allows deletion of a local library. | Library |
Content library.Delete root certificate from trust store | Allows deletion of root certificates from the Trusted Root Certificates Store. | vCenter Server |
Content library.Delete subscribed library | Allows deletion of a subscribed library. | Library |
Content library.Delete subscription of a published library | Allows deletion of a subscription to a library. | Library |
Content library.Download files | Allows download of files from the content library. | Library |
Content library.Evict library item | Allows eviction of items. The content of a subscribed library can be cached or not cached. If the content is cached, you can release a library item by evicting it if you have this privilege. | Library. Set this permission to propagate to all library items. |
Content library.Evict subscribed library | Allows eviction of a subscribed library. The content of a subscribed library can be cached or not cached. If the content is cached, you can release a library by evicting it if you have this privilege. | Library |
Content library.Import Storage | Allows a user to import a library item if the source file URL starts with ds:// or file://. This privilege is disabled for content library administrator by default. Because an import from a storage URL implies import of content, enable this privilege only if necessary and if no security concern exists for the user who performs the import. | Library |
Content library.Manage Harbor registry resources on specified compute resource | Allows management of VMware Tanzu Harbor Registry resources. | Compute cluster |
Content library.Probe subscription information | This privilege allows solution users and APIs to probe a remote library’s subscription info including URL, SSL certificate, and password. The resulting structure describes whether the subscription configuration is successful or whether there are problems such as SSL errors. | Library |
Content library.Publish a library item to its subscribers | Allows publication of library items to subscribers. | Library. Set this permission to propagate to all library items. |
Content library.Publish a library to its subscribers | Allows publication of libraries to subscribers. | Library |
Content library.Read storage | Allows reading of content library storage. | Library |
Content library.Sync library item | Allows synchronization of library items. | Library. Set this permission to propagate to all library items. |
Content library.Sync subscribed library | Allows synchronization of subscribed libraries. | Library |
Content library.Type introspection | Allows a solution user or API to introspect the type support plug-ins for the content library service. | Library |
Content library.Update configuration settings | Allows you to update the configuration settings. | Library |
No vSphere Client user interface elements are associated with this privilege. | ||
Content library.Update files | Allows you to upload content into the content library. Also allows you to remove files from a library item. | Library |
Content library.Update library | Allows updates to the content library. | Library |
Content library.Update library item | Allows updates to library items. | Library. Set this permission to propagate to all library items. |
Content library.Update local library | Allows updates of local libraries. | Library |
Content library.Update subscribed library | Allows you to update the properties of a subscribed library. | Library |
Content library.Update subscription of a published library | Allows updates of subscription parameters. Users can update parameters such as the subscribed library’s vCenter Server instance specification and placement of its virtual machine template items. | Library |
Content library.View configuration settings | Allows you to view the configuration settings. | Library |
No vSphere Client user interface elements are associated with this privilege. |
Advanced Content Library settings
Several advanced configuration settings are configurable with the VMware Content Library. You can get to these by navigating to Content Libraries > Advanced.
Content Library advanced settings
These include the following settings as detailed by VMware:
Configuration Parameter | Description |
Library Auto Sync Enabled | This setting enables automatic synchronization of subscribed content libraries. |
Library Auto Sync Refresh Interval (minutes) | The Interval between two consequent automatic synchronizations of the subscribed content library. This interval is measured in minutes. |
Library Auto Sync Setting Refresh Interval (seconds) | This is the Interval after which the refresh interval for the automatic synchronization settings of the subscribed library will be updated if it has been changed. It is measured in seconds. A change in the refresh interval requires a restart of vCenter Server. |
Library Auto Sync Start Hour | This setting refers to the time of day when the automatic synchronization of a subscribed content library begins |
Library Auto Sync Stop Hour | This setting refers to the time of day when the automatic synchronization of a subscribed content library stops. Automatic synchronization stops until the start hour. |
Library Maximum Concurrent Sync Items | The maximum number of items concurrently synchronizing for each subscribed library. |
Max concurrent NFC transfers per ESX host | The maximum concurrent NFC transfers per ESXi host limit |
Maximum Bandwidth Consumption | The bandwidth usage threshold. It is measured in Mbps across all transfers where 0 means unlimited bandwidth. |
Maximum Number of Concurrent Priority Transfers | The Concurrent transfer limit for priority files. Tranfers are queued if the bandwidth limit is exceeded. This threadpool is used only to transfer priority objects. For example, if you change the concurrent transfer limit for priority files, such as OVF, you must restart vCenter Server. |
Maximum Number of Concurrent Transfers | Concurrent transfer limit. When exceeded, the transfers are queued. If you change the concurrent transfer limit, it requires a restart of vCenter Server. |
To properly protect your VMware environment, use Altaro VM Backup to securely backup and replicate your virtual machines. We work hard perpetually to give our customers confidence in their VMware backup strategy.
To keep up to date with the latest VMware best practices, become a member of the VMware DOJO now (it’s free).
Wrapping up
The VMware Content Library provides a centralized repository that allows keeping required file resources, virtual machine templates, ISO images vApps, and other files synchronized and available across the vSphere datacenter. In vSphere 7, the Content Library allows organizations to have a better way to keep up with and track changes to virtual machine templates. Using the new check-in/check-out process, VI admins can track changes made with each check-out and ensure these are documented and synchronized back to the Content Library.
It effectively provides a solution to remove the need to copy files between ESXi hosts or vSphere clusters and have what you need to install guest operating systems or deploy virtual machine templates. In addition, the subscribed Content Library allows synchronizing vCenter Server content libraries so that many other vCenter Servers can take advantage of the files already organized in the published Content Library.
The VMware Content Library is one of the more underutilized tools in the VI admin’s toolbelt that can bring about advantages in workflow, efficiency, and time spent finding and organizing files for deploying VMs and OS’es. In addition, the recent feature additions and improvements, such as check-ins/check-outs, have provided a more DevOps approach to tracking and working with deployment resources.
Source :
https://www.altaro.com/vmware/vmware-content-library/