Collect metrics from ESXi Host and VM's performance metrics
Attention! This exporter has not been tested with vCloud Director due to the fact that I do not have a license for it. If someone can test this functionality I will be glad. It would be ideal to have access to it for further product development.
- Get hypervisor metrics
- Get performance metrics for virtual machines
- Using Hashicorp Vault to Store Authorization Data on Hypervisors
- Can work without a Hashicorp Vault if the login and password for all hypervisors are the same, and you are not embarrassed by passing them through environment variables
- Works in multi-target mode
- Create Grafana Dashboards
- Refactor and Optimize Code
$ GOOS=linux GOARCH=amd64 make build$ docker build -f ./Dockerfile.local -t vmware-exporter .Download or build the most suitable binary from the releases tab
Then:
$ ENV_VARS ./.bin/vmware-exporterENV_VARS - see list of environment variables for configure exporter
$ docker run --rm \
-p 9513/tcp \
--name vmware_exporter \
--env VMWARE_EXPORTER_BIND_ADDR=0.0.0.0:9513 \
--env VMWARE_EXPORTER_VMWARE_USER=monitoring \
--env VMWARE_EXPORTER_VMWARE_PASSWORD=strongPass \
--env VMWARE_EXPORTER_LOG_LEVEL=info \
--env VMWARE_EXPORTER_HTTP_WRITE_TIMEOUT=30s \
--env VMWARE_EXPORTER_HTTP_READ_TIMEOUT=30s \
--env VMWARE_EXPORTER_SCRAPE_TIMEOUT=30s \
ghcr.io/hamnsk/vmware-exporter:latestFor authorization in Vault, the App Role method is used. Refer to the Vault documentation to set up this method.
$ vault auth enable approleFor authorization on the destination ESXI host, the exporter will find two secrets "username" and "password" in the path you specified. The path must be specified with the target host.
$ vault kv put {{kv2_engine_name}}/{{path}}/{{target}} username="monitoring"
$ vault kv put {{kv2_engine_name}}/{{path}}/{{target}} password="monitoring"For example if we want to write authorization data for the esxi0001 host, we need to specify to execute the following commands:
$ vault kv put secrets/esxi/monitoring/esxi0001 username="monitoring"
$ vault kv patch secrets/esxi/monitoring/esxi0001 password="monitoring"Then create a key tree access policy, we need read access to the keys, and a listing of available targets
$ vault policy write -tls-skip-verify vmwere-exporter -<<EOF
path "secrets/esxi/monitoring/*" {
capabilities = [ "read", "list" ]
}
EOFThen we need to install the policy created in the previous step for our role. The lifetime of the token and secret can be set to your taste, but the Vault developers recommend setting a short lifetime. The exporter can automatically extend the lifetime of the token. The "bind_secret_id" parameter must be set to false, this is necessary in order to pass only the "role_id" parameter when configuring the exporter, the exporter will do the rest. It is also recommended to set the CIDR of the subnets where the exporter will be launched, in order to exclude the possibility of obtaining a secret and a token from another place. Can be limited to 1 host, such as where the exporter is running.
$ vault write -tls-skip-verify auth/approle/role/vmware-exporter \
token_policies="vmwere-exporter" \
token_ttl=5m \
token_max_ttl=10m \
secret_id_bound_cidrs="0.0.0.0/0","127.0.0.1/32" \
token_bound_cidrs="0.0.0.0/0","127.0.0.1/32" \
secret_id_ttl=5m policies="vmwere-exporter"\
bind_secret_id=falseThen check your App Role
$ vault read -tls-skip-verify auth/approle/role/vmware-exporter-demoIf all is well, then get the "role_id" parameter to set the value of the environment variable VMWARE_EXPORTER_VAULT_ROLE_ID.
$ vault read -tls-skip-verify auth/approle/role/vmware-exporter/role-id
Visiting http://localhost:9513/probe?target=esxi.host.name.or.ipaddr for collect metrics from ESXi host
Then visit http://localhost:9513/metrics will return metrics for a main app
VMWare exporter implements the multi-target exporter pattern, so we advice to read the guide Understanding and using the multi-target exporter pattern to get the general idea about the configuration.
The vmware exporter needs to be passed the target as a parameter, this can be done with relabelling.
Example config:
scrape_configs:
- job_name: 'vmware_exporter'
metrics_path: /probe
static_configs:
- targets:
- esxi0001.localdomain
- esxi0002.tech
- 192.168.1.17
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: 127.0.0.1:9513 # The vmware exporter's real hostname:port.VMWare exporter is configured via a environment variables.
| ENV VARIABLE | DEFAULT | DESCRIPTION |
|---|---|---|
| VMWARE_EXPORTER_BIND_ADDR | :9513 | Exporter bind address in format XXX.XXX.XXX.XXX:PORT |
| VMWARE_EXPORTER_VMWARE_USER | monitoring | ESXi user name when not using a Vault |
| VMWARE_EXPORTER_VMWARE_PASSWORD | password | ESXi user password when not using a Vault |
| VMWARE_EXPORTER_LOG_LEVEL | info | Log level e.g. in info,warn,error,debug |
| VMWARE_EXPORTER_HTTP_WRITE_TIMEOUT | 30s | Time duration e.g. 30s or 1m |
| VMWARE_EXPORTER_HTTP_READ_TIMEOUT | 30s | Time duration e.g. 30s or 1m |
| VMWARE_EXPORTER_USE_VAULT | not set | Bool flag use or not Hashicorp Vault as credentials storage |
| VMWARE_EXPORTER_VAULT_ADDR | not set | Address of Hashicorp Vault |
| VMWARE_EXPORTER_VAULT_AUTH_NAME | not set | Name of authorization method APP Role for example: appauth |
| VMWARE_EXPORTER_VAULT_ROLE_ID | not set | App Role ID |
| VMWARE_EXPORTER_VAULT_SECRET_STORE_NAME | not set | Name of kv2 secret store for example: secrets |
| VMWARE_EXPORTER_VAULT_SECRET_STORE_PATH | not set | Path to root of credentials for example esxi/monitoring |