How to check if NGT are properly installed on VMs.

  • 9 October 2017
  • 7 replies
  • 9677 views

Badge +6
Hi All,

We have a customer running Nutanix on ESXi cluster, and has now bought a Nutanix DRC cluster running on AHV. NGT is mounted and installed on the VMs within the ESXi cluster, and Data Protection feature is now used to replicate the VMs from the DC cluster (ESXi) to the DRC cluster (AHV).

The problem is now, we have perform few VM clone and migration tests to the DRC cluster, but some of the VMs are unable to boot at the DRC cluster (we have installed the NGT on the supported OSes in : Operating System Supported for NGT: https://portal.nutanix.com/#/page/docs/details?targetId=Web-Console-Guide-Prism-v51:man-nutanix-guest-tool-c.html).

Is there any possible way if we could check if the NGT is properly installed (as we did installed them successfully, but still the problem arise)?

7 replies

Userlevel 2
Badge +12
You should be able to see in Prism, by selecting the VM and checking the side panel "NGT enabled yes"

You can also query using ncli

ncli nutanix-guest-tools get vm-id="vm_id "
Badge +6
Hi Jason,

I believe that "Enabled" is 1 thing, but "installed" is another. You can click "Enable NGT" within prism and all it does is mount the NGT installer to the VM, and the prism view and ncli cmd provided would show/output you "NGT enabled" (yes).

FYI, we have enabled and installed NGT to ALL of the protected VMs, where MOST of the VMs are bootable at the DRC cluster, but not for SOME (3 for now, yet to complete the test on all protected VMs), hence the topic creation.
Userlevel 2
Badge +12
You can check NGT is communicating with the cluster I beleive with

ncli nutanix-guest-tools list

It will show an output including;
Communication Link Active : true or false

This should show if NGT is working I would think

Cheers
Badge +1
Hi, I´m also troubleshooting NGT tools and i found some additional info:

After updating AOS I received messages on obsolete tools from prism, but when i try to install the new version i receive the message "lastest version already installed"

A Rest Api (3.1) query give me i different point of view and show me "obsolete" or "enabled but not installed" tools.

Running this command from a CVM "ncli ngt list" i found that all the VMs have a communication problem:

code:
    VM Id                     : xxxxxxxx::xxxxxx     
VM Name : yyyyyyyy
NGT Enabled : true
Tools ISO Mounted : false
Vss Snapshot : true
File Level Restore : false
Communication Link Active : false


(i have removed uuid and vm name from this text)

Then checking inside the Linux VM i can seee that the NGT python processes are running but the are errors on /usr/local/nutanix/ngt/logs/guest_agent_service.log

code:
ERROR guest_agent_service.py:391 Failed to send RPC request


Maybe someone on our firewall department missed the TCP port 2704, while right now is still not clear for me if the communication from the VM have to be enabled to the cluster CVM vip or to all the CVM addresses.

...to be continued...
you should have meant NGT communication use TCP port 2074 (not 2704)
Badge +1
you should have meant NGT communication use TCP port 2074 (not 2704)
Of course (just a typo)

But the port doesn´t change the concept: My firewall department asked me why in a hybrid cloud environment they have to open that port for all server and create a possible security hole? Why the Hypervisir cannot communicate directly with the VMs?

Good questions.

In order for the hypervisors to work with the VMs, there will, of course, be communication at least going in one direction - from the hypervisor to the VM.  When we say “communicate directly”… what what that brings to my mind is the hypervisor just introducing code directly into the VM’s memory somehow, because, of course, it’s really the hypervisor’s memory, right?

 Unfortunately, in order to do so, Nutanix (VMWare, etc.) would have to completely understand everything in its VMs...Windows (all versions), LInux (all versions), etc.) that could be hosted in said VM.  

IP is a great way as it allows two hosts to talk to each other and it can be controlled via a firewall, if necessary.  It’s also something that everybody understands.  Secure (as we know it =) libraries for using this communication method have been around and under development for decades:  There simply isn’t a need to develop anything new (introducing all sorts of NEW vulnerabilities). 

 

Hope this helps. 

 

you should have meant NGT communication use TCP port 2074 (not 2704)


Of course (just a typo)

But the port doesn´t change the concept: My firewall department asked me why in a hybrid cloud environment they have to open that port for all server and create a possible security hole? Why the Hypervisir cannot communicate directly with the VMs?

Good questions.

 

Reply