Dynamic Environment Manager integration with Linux

VMware Dynamic Environment Manager (DEM) can do wonders for Windows OS as well as for User Profile and there is huge content available on VMware Docs as well as Internet world for various use cases and issues around it

When we look at DEM for Linux, then there is a limited feature available at Create a Horizon Smart Policy in User Environment Manager in VMware Docs and there is a twist to the story here.

DEM in Horizon for Linux doesn’t use DEM FlexEngine agent instead it relies on Horizon Agent itself. It leads to lot more changes in the configuration which is not highlighted in the documents clearly and even contradicts with the DEM configuration requirements.

So let me start it this way, You have a running deployment of DEM or you deployed a new setup as per best practises of VMware for Windows OS. One fine day, you want to use DEM for Linux and configured the path of DEM Configuration in the Linux Agent Custom config file using your favourite editor.

vim /etc/vmware/viewagent-custom.conf

Save the config file, restart the agent and machine will be in available state in Horizon Connection server. Once you try to connect the Linux VDI using Horizon Client, you get below error

In agent debug logs /var/log/vmware/viewagent-debug.log, you will see below entries:

2021-01-21T08:47:20.572Z DEBUG <pool-2-thread-1> [DesktopHandler] [DesktopID: 2] The endpoint IP is 10.10.10.100
2021-01-21T08:47:20.572Z INFO  <pool-2-thread-1> [UEMPolicy] Get UEM policies 
2021-01-21T08:47:20.572Z ERROR <pool-2-thread-1> [UEMPolicy] Error parse UEM policy: null 
2021-01-21T08:47:20.572Z INFO  <pool-2-thread-1> [StandaloneAgentConfig] Load UEM policy failed 
2021-01-21T08:47:20.572Z INFO  <pool-2-thread-1> [UEMMountManager] Umount the UEM network path 
2021-01-21T08:47:20.572Z DEBUG <pool-2-thread-1> [UEMMountManager$MountWorker] Run the command /usr/lib/vmware/viewagent/bin/UMountFolder.sh 
2021-01-21T08:47:20.578Z ERROR <pool-2-thread-1> [UEMMountManager$MountWorker] Run the command /usr/lib/vmware/viewagent/bin/UMountFolder.shfail as exit value 2 
2021-01-21T08:47:20.578Z INFO  <pool-2-thread-1> [StandaloneAgentConfig] Umounting UEM network path failed 
2021-01-21T08:47:20.578Z DEBUG <pool-2-thread-1> [UEMMountManager] The UEM mount point exists already 
2021-01-21T08:47:20.578Z INFO  <pool-2-thread-1> [UEMMountManager] Mount the UEM network path 
2021-01-21T08:47:20.578Z DEBUG <pool-2-thread-1> [UEMMountManager$MountWorker] Run the command /usr/lib/vmware/viewagent/bin/MountFolder.sh 
2021-01-21T08:47:20.584Z ERROR <pool-2-thread-1> [UEMMountManager$MountWorker] Run the command /usr/lib/vmware/viewagent/bin/MountFolder.shfail as exit value 5 
2021-01-21T08:47:20.584Z ERROR <pool-2-thread-1> [StandaloneAgentConfig] Mount UEM network path failed 
2021-01-21T08:47:20.584Z ERROR <pool-2-thread-1> [DesktopHandler] [DesktopID: 2] Failed to initialize uem policy. 
2021-01-21T08:47:20.584Z DEBUG <pool-2-thread-1> [DesktopHandler] [DesktopID: 2] Cancel request 7 
2021-01-21T08:47:20.584Z DEBUG <pool-2-thread-1> [SessionTaskTimer] IPC request timer 7 cancelled 

In Linux OS logs /var/log/messages, you will see below:

Status code returned 0xc000006d STATUS_LOGON_FAILURE
CIFS VFS: Send error in SessSetup = -13
CIFS VFS: cifs_mount failed w/return code = -13

To troubleshoot this issue, I started from mounting the DEM Config file share manually in the linux VM using users credentials which was through without any issue.
Note: Ensure that you have necessary package installed in the Linux OS to mount CIFS/NFS shares.

After lot of investigation in this issue and discussion with peers, I got to understand that Horizon Agent mounts the share without any authentication and hence fails. It calls for changes in the requirement for DEMConfig share for Linux which is added mentioned in Document for Horizon 2012 VMware Docs, rest all previous version doesn’t have any mention about this. This is bit contradictory with what is defined in DEM as well.

Horizon Agent mounts the Config share at /var/vmware/UEM and when i did same manually and tried logging into the VDI using Horizon Client, it worked. Horizon Agent logs shows below:

2021-01-21T23:19:45.617Z DEBUG <pool-2-thread-1> [DesktopHandler] [DesktopID: 1] The endpoint IP is 10.10.10.67 
2021-01-21T23:19:45.617Z INFO  <pool-2-thread-1> [UEMPolicy] Get UEM policies 
2021-01-21T23:19:45.621Z DEBUG <pool-2-thread-1> [UEMPolicy] Parse the UEM file disable cdr.xml 
2021-01-21T23:19:45.624Z DEBUG <pool-2-thread-1> [UEMPolicy] Condition element evaluate fail as the condition combination pattern must be "(os=linux) and (tsip in/notin range1) and/or (tsip in/notin range2) and/or ..." 
2021-01-21T23:19:45.624Z INFO  <pool-2-thread-1> [UEMPolicy] Ignore the UEM file as condition match unsuccessfully 
2021-01-21T23:19:45.624Z DEBUG <pool-2-thread-1> [UEMPolicy] Parse the UEM file disable USB.xml 
2021-01-21T23:19:45.628Z DEBUG <pool-2-thread-1> [UEMPolicy] Condition element evaluate fail as the condition combination pattern must be "(os=linux) and (tsip in/notin range1) and/or (tsip in/notin range2) and/or ..." 
2021-01-21T23:19:45.628Z INFO  <pool-2-thread-1> [UEMPolicy] Ignore the UEM file as condition match unsuccessfully 
2021-01-21T23:19:45.628Z DEBUG <pool-2-thread-1> [UEMPolicy] Parse the UEM file Enable USB.xml 
2021-01-21T23:19:45.629Z DEBUG <pool-2-thread-1> [UEMPolicy] Condition element evaluate fail as the condition combination pattern must be "(os=linux) and (tsip in/notin range1) and/or (tsip in/notin range2) and/or ..." 
2021-01-21T23:19:45.630Z INFO  <pool-2-thread-1> [UEMPolicy] Ignore the UEM file as condition match unsuccessfully 
2021-01-21T23:19:45.630Z DEBUG <pool-2-thread-1> [UEMPolicy] Parse the UEM file Linux.xml 
2021-01-21T23:19:45.631Z DEBUG <pool-2-thread-1> [UEMPolicy] The condition in group is tsip 
2021-01-21T23:19:45.631Z DEBUG <pool-2-thread-1> [UEMIPRange] The client ip is 174598979, the lower is 174587904, the upper is 174653439 
2021-01-21T23:19:45.631Z DEBUG <pool-2-thread-1> [UEMPolicy] The condition in group is tsip 
2021-01-21T23:19:45.631Z DEBUG <pool-2-thread-1> [UEMIPRange] The client ip is 174598979, the lower is 174812672, the upper is 174812927 
2021-01-21T23:19:45.631Z INFO  <pool-2-thread-1> [UEMPolicy] Extract the UEM horizon smart policies as condition match successfully 
2021-01-21T23:19:45.631Z INFO  <pool-2-thread-1> [UEMPolicy] Get horizon smart policies 
2021-01-21T23:19:45.631Z DEBUG <pool-2-thread-1> [UEMPolicy] Parse the UEM file testGPU.xml 
2021-01-21T23:19:45.633Z DEBUG <pool-2-thread-1> [UEMPolicy] Condition element evaluate fail as the condition element is null 
2021-01-21T23:19:45.633Z INFO  <pool-2-thread-1> [UEMPolicy] Ignore the UEM file as condition match unsuccessfully 
2021-01-21T23:19:45.633Z INFO  <pool-2-thread-1> [UEMNonPersistentConfig] [DesktopID: 1] The USB is true 
2021-01-21T23:19:45.633Z DEBUG <pool-2-thread-1> [DesktopHandler] [DesktopID: 1] The CDR is enabled by UEM policy 
2021-01-21T23:19:45.633Z INFO  <pool-2-thread-1> [UEMNonPersistentConfig] [DesktopID: 1] The CDR is enabled 
2021-01-21T23:19:45.633Z INFO  <pool-2-thread-1> [UEMNonPersistentConfig] [DesktopID: 1] The CDR permission is A 
2021-01-21T23:19:45.633Z DEBUG <pool-2-thread-1> [DesktopHandler] [DesktopID: 1] The Clipboard is enabled by UEM policy 
2021-01-21T23:19:45.633Z INFO  <pool-2-thread-1> [UEMNonPersistentConfig] [DesktopID: 1] The Clipboard direction is 1 
2021-01-21T23:19:45.633Z INFO  <pool-2-thread-1> [UEMNonPersistentConfig] [DesktopID: 1] The non persistent config path exists already 
2021-01-21T23:19:45.634Z INFO  <pool-2-thread-1> [UEMNonPersistentConfig] [DesktopID: 1] Store the uem config to file /var/vmware/nonPersistent/uemconfig-1 
2021-01-21T23:19:45.634Z INFO  <pool-2-thread-1> [DesktopHandler] [DesktopID: 1] Start session for user: vdi01 

So with this, we have figured out the what was leading to issue here and what is requirement but it was not that easy to fix for all the users. It calls for making DEMConfig share as public which may not be feasible for customer or in my case, i even tried to do it but couldn’t. Do let me know if there is any way to achieve it for CIFS. Happy to learn 🙂

Well, I thought of an approach here by creating a service account in the domain and assign read permission on DEM Config share. Mount the DEM Config share in linux image using that service account. As we can’t mount DEM Config share in all 100 of VDI, we have to leverage on credential file.

  • Create a file /etc/vmware/.smbcredentials and add following data.
    Note: You can keep this credential file at any location.
username=<serviceAccount>
password=<PasswordForServiceAccount>
  • Add an entry in /etc/fstab
//<FileServer>/DEMConfig /var/vmware/UEM cifs credentials=/etc/vmware/.smbcredentials,defaults 0 0
  • Run Command #mount -a and you are done. Restart the Horizon agent service.

You can follow any other method as well to mount the share. I have tried with one more way of mounting/unmounting the share by updating the Horizon Agent files as well instead of fstab ones. If you are interested to know that, please do let me know.

Leave a Reply

Your email address will not be published. Required fields are marked *