Manage Unapproved VMs

Any new VM that's managed by Commander is, by default, unapproved (unless Commander has been configured to automatically set the approval states of VMs, as described later in this topic). You have the option of marking a VM as approved and then changing that status back to unapproved at any time.

  • Only VMs can have the Unapproved state; this state isn't supported for other service types, such as virtual services, load balancers, databases, auto scaling groups and application stacks.
  • The Approval policy and the approval state are deprecated and will be removed in a future release.

You can use the approval state of a VM to work with the Approval policy by setting that policy to trigger an action when an attempt to relocate or start an unapproved VM is made. For example, if an attempt is made to start an unapproved VM, the Approval policy can alert you of the attempt or can shut the VM down immediately. The policy therefore allows you to mandate that Commander brokers all access to the cloud account.

You can also configure Commander to automatically approve VMs that arrive in inventory through the use of third-party deployment tools.

If you require custom integration, contact Support to discuss your requirements.

Set the Approval state of a VM

Access:

Views > Inventory > Infrastructure or Applications

Available to:

Administrator, Operator with Approval Access Rights

  1. Select a service in the tree or in a table.
  2. Right-click and choose Policy Enforcement > Set Approval State.
  3. In the Set Approval State dialog, select Approved or Unapproved as required.
  4. Click Set.

Configure the Approval policy

The Approval policy changes the Approval state for templates, but policy actions (for example, deletion) are not performed for templates. It's possible to deploy a VM from a template in the Unapproved state.

The Approval policy applies only to VMs.

  • The Approval policy and the approval state are deprecated and will be removed in a future release.
  • Any configuration of this policy on a system-wide basis can affect all cloud accounts that are managed by Commander now and can affect all cloud accounts that are added to Commander in the future. If you don't want any cloud account to be automatically affected by this policy, configure the policy by selected infrastructure elements only. For more information, see Manage policies when adding new hosts.

Access:

Configuration > Policies

Available to:

Commander Role of Superuser and Enterprise Admin

Administrator Access Rights

  1. On the Configuration page, click Add.
  2. On the Choose a Policy page, select Unapproved from the list of policies, then click Next.
  3. On the Policy Name/Description page, enter a name (for example, "Approval Policy for Production"), and an optional description, then click Next.
  4. On the Choose a Target page, expand the Infrastructure tree if required, and select the infrastructure elements to which you want the policy to apply, then click Next.

    You can't select a folder as a target.

  5. On the Configure the Policy page, to configure the policy but keep it turned off until you are ready to enable it, make sure Enable policy is unchecked.
  6. From Take Action, choose one of the following options:

    When you click:

    After you enable the policy and if the policy is triggered, the result is:

    Notification Only

    No action is taken. An alert is created, notifying you that the policy has triggered. See also Subscribe to Policy Alerts.

    Quarantine

    The VM is quarantined if the policy is triggered.

    Note: If you include this action in a policy targeting services in a cloud account other than vCenter, the action will fail.

    Suspend

    The VM is suspended (saved in its current state).

    Not supported for VMs in public cloud accounts. If you include this action in a policy targeting services in a public cloud account, the action will fail.

    Stop

    The Guest OS is shut down.

    Remove from Inventory

    The VM is removed from inventory. Note that the file remains in the datastore.

    Note: If you include this action in a policy targeting services in a cloud account other than vCenter, the action will fail.

    Delete from Disk

    The VM and its associated files are deleted permanently from the disk.

    When you delete a VM from disk, the files are permanently deleted. They can't be recovered unless you have a backup copy.

    When all VMs are deleted from a virtual service through a policy action (that is, when VMs are deleted by a policy action or by a command workflow attached to an expiry policy), the empty virtual service isn't automatically deleted unless it too is targeted by policy.

    Run [Workflow]

    Existing command workflows appear for selection, organized by target type. If the policy is triggered, the selected workflow is run.

    You must choose a workflow with a target type that matches the target of the policy; otherwise, the workflow will fail. For example, if the selected workflow's target type is "VM", the workflow will fail if the policy targets a database. A workflow with a target type of "Any Inventory Type" can be run on all service types.

    Click Add Workflow to set up a new command workflow.

  7. Enable or clear the last checkbox to set whether you want to allow children of the targets to have their own instance of the policy.

    If you enable this option, other instances of this policy can be applied to any infrastructure elements and VMs that are children of the parent infrastructure element you have selected (an override).

  8. On the Summary page, the summary of your policy options appears.

    If you have enabled the policy and as a result, any VMs are going to be immediately affected by it, Commander displays the number of affected VMs.

    To see what VMs are affected by the policy actions you selected, click Review, then click OK to return to the summary.

  9. Click Finish to complete the configuration.

    Your policy options are now set in Commander.

Determine whether VMs inherit the approval state

When a VM is deployed from a template or cloned from another VM, the newly created VM automatically inherits the attributes that were applied to the parent template or VM or source template.

If a parent VM or template isn't approved, newly created VMs provisioned from the parents will automatically be set to non-approved.

Access:

Configuration > Policies

Available to:

Commander Role of Superuser and Enterprise Admin

  1. Click the Approval Inheritance tab.
  2. To enable each rule that you want to be applied.