I’ve never found the Suspend feature in a vSphere environment all that useful – truth be told, I’ve never used it once. It definitely has more value on a desktop running VMware Workstation, because it’s an easy way to “pause” a lab or some other miscellaneous VM. But hey – I suppose someone uses it, or else it wouldn’t be available, right? 🙂
As it happens, I was handed the task of finding a method to disable the ability to Suspend a vApp or VM within vCloud Director 5.1, which I must admit was a new use case for me to tackle. Unlike vSphere, which has granular control over all of the various VM tasks (power on, off, restart, suspend, etc), vCloud Director lumps all of these abilities into one permission. You can either give someone authority to perform all of the various power tasks or none of them at all. The goal here was to ensure no one accidentally Suspended a vApp by a misclick or out of curiosity.
I couldn’t just uncheck the box – the idea of robbing a user of the ability to start and stop their own vApps was not going to cut it, so I looked towards another method to deny the Suspend ability.
Contents
Blocking Tasks
In this particular scenario, blocking tasks were not be leveraged by the IT team. For those new to the term, a blocking task is a sort of wedge driven into a task that allows for some decision making and automation to occur. Typically, the task is delivered to an AMQP (Advanced Message Queuing Protocol) server, which is then ultimately given to a decision making brain with the responsibility of either allowing or failing the task. However, even without an AMQP server you do have the ability to hard configure a response to any blocking tasks without having to worry about a message queue.
Because of this, I had an easy way of making sure that any requests to Suspend a VM or vApp via the vCloud Director GUI or API could be denied. The configuration is two steps.
Step 1 – Fail All Blocking Tasks
First, set a default response to all blocking tasks to fail after 1 second. This is found in the System > Administration > Extensibility > Settings > Blocking Task Settings area. Change the Default Blocking Task Timeout to 1 second and the Default Timeout Action to Fail. Make sure to Apply your configuration at the bottom.
Step 2 – Configure Blocking Tasks
The next step is to enable some tasks for blocking. From the previous location, just click on the Blocking Tasks tab and expand the vApp Power Operations folder. Enable the two Suspend vApp tasks. Again, make sure to Apply your configuration at the bottom.
Results
Once completed, you can test a Suspend on a VM to witness the results. The Suspend task will process for a brief period of time and ultimately fail. I’ve taken a screenshot of a vApp in my lab below – note that the message is “Cannot suspend” with the details “Automatically failed due to timeout”.
Note that this blocks anyone from Suspending a VM or vApp in your vCloud Director environment – including you! But, if you have no need to suspend, it shouldn’t matter.
