frankdenneman Frank Denneman is the Machine Learning Chief Technologist at VMware. He is an author of the vSphere host and clustering deep dive series, as well as podcast host for the Unexplored Territory podcast. You can follow him on Twitter @frankdenneman

Disable vMotion for a single VM

1 min read

This question pops up regularly on the VMTN forums and reddit. It’s a viable question but the admins who request this feature usually don’t want Maintenance mode to break or any other feature that helps them to manage large scale environments. When you drill down, you discover that they only want to limit the option of a manual vMotion triggered by an administrator.
Instead of configuring complex DRS rules, connect the VM to an unique portgroup or use bus sharing configurations, you just have to add an extra permission to the VM.
The key is all about context and permission structures. When executing Maintenance mode the move of a virtual machine is done under a different context (System) then when the VM is manually migrated by the administrator. As vCenter honors the most restrictive rule you can still execute a Maintenance mode operation of a host, while being unable to migrate a specific VM.
Here is how you disable vMotion for a single VM via the Webclient:
Step 1: Add another Role let’s call it No-vMotion

  1. Log in as a vCenter administrator
  2. Go to the home screen
  3. Select Roles in the Administration screen
  4. Select Create Role Action (Green plus icon)
  5. Add Role name (No-vMotion)
  6. Select All Priveleges
  7. Scroll down to Resource
  8. Deselect the following Privileges:
  • Migrate powered off virtual machine
  • Migrate powered on virtual machine
  • Query vMotion

Edit role No-vMotion
Step 2: Restrict User privilege on VM.

  1. Select “Host and Clusters” or “VMs and Templates” view, the one you feel comfortable with.
  2. Select the VM and click on the Manage tab
  3. Select Permissions
  4. Click on “Add Permissions” (Green plus icon)
  5. Click on Add and select the User or Group who you want to restrict.
  6. In my example I selected the user FrankD and clicks on Add on OK
  7. On the right side of the screen in the pulldown menu select the role “No-vMotion” and click on OK.

2-Add-Permission
Ensure that the role is applied to This object.
3-This-Object
FrankD is a member of the vCenterAdmins group which has Administrator privileges propagated through the virtual datacenter and all its children.
However FrankD has an additional role on this object “No-vMotion”. Let’s check if it works. Log in with the user id you restricted and right-click the VM. As shown, the option Migrate is greyed out. The VM is running on Host ESX01
4-No-Migrate
The option Mainentance Mode is still valid for Host ESX01.
5-Enter-Maintenance Mode
Click on the option “More Tasks” in the Recent Task window, here you can verify that FrankD is the initiator of the operation Maintenance mode, and System migrated the virtual machine.
6-Context

frankdenneman Frank Denneman is the Machine Learning Chief Technologist at VMware. He is an author of the vSphere host and clustering deep dive series, as well as podcast host for the Unexplored Territory podcast. You can follow him on Twitter @frankdenneman

Help Us Make vMotion Even Better

The vMotion product team is looking for input on how to improve vMotion.  vMotion has proven to be a paradigm shift of datacenter management....
frankdenneman
21 sec read

vSphere 5.1 update 1 release fixes Storage vMotion rename…

vSphere 5.1 update 1 is released today which contains several updates and bug fixes for both ESXi and vCenter Server 5.1. This release contains...
frankdenneman
29 sec read

Migrating datastore clusters by changing storage profiles in a…

vCloud director 5.1 supports the use of both storage profiles and Storage DRS. One of the coolest features and unfortunately relatively unknown is the...
frankdenneman
3 min read

2 Replies to “Disable vMotion for a single VM”

  1. What’s the use case for limiting an admin’s ability to trigger a vMotion a particular VM? I’m just curious as my setup (admittedly atypical) doesn’t involve a concern for limitation at this layer of administration.
    Thanks for the creative solution!

    1. Hi Steve,
      I personally never applied such as rule, but I’ve seen the request about this feature multiple times. Usually followed by draconian configurations just to avoid an administrator to manually migrate the VM. Typically most suggested configurations limit the overal mobility, hampering HA and or Maintenance mode or don’t do the trick at all. Either way, I thought it was time to explain contexts and permission structures involved in this config.
      I’m a big proponent of letting DRS figure out what to do. If a VM is required to run on a particular host, override DRS configure the VM in Manual DRS mode and place an explanation in the notes section of the VM. Educate the admins that this particular VM should not be moved during normal operation hours.

Comments are closed.