1. Introduction to ManageIQ

ManageIQ delivers the insight, control, and automation that enterprises need to address the challenges of managing virtual environments. This technology enables enterprises with existing virtual infrastructures to improve visibility and control, and those starting virtualization deployments to build and operate a well-managed virtual infrastructure.

ManageIQ provides the following feature sets:

  • Insight: Discovery, Monitoring, Utilization, Performance, Reporting, Analytic, Chargeback, and Trending.

  • Control: Security, Compliance, Alerting, and Policy-Based Resource, and Configuration Enforcement.

  • Automate: IT Process, Task and Event, Provisioning, and Workload Management and Orchestration.

  • Integrate: Systems Management, Tools and Processes, Event Consoles, Configuration Management Database (CMDB), Role-based Administration (RBA), and Web Services.

1.1. Architecture

The diagram below describes the capabilities of ManageIQ. Its features are designed to work together to provide robust management and maintenance of your virtual infrastructure. 1845

The architecture comprises the following components:

  • The ManageIQ appliance (appliance) which is supplied as a secure, high-performance, preconfigured virtual machine. It provides support for HTTPS communications.

  • The ManageIQ Server (Server) resides on the appliance. It is the software layer that communicates between the SmartProxy and the Virtual Management Database. It includes support for HTTPS communications.

  • The Virtual Management Database (VMDB) resides either on the appliance or another computer accessible to the appliance. It is the definitive source of intelligence collected about your Virtual Infrastructure. It also holds status information regarding appliance tasks.

  • The ManageIQ Console (Console) is the Web interface used to view and control the Server and appliance. It is consumed through Web 2.0 mash-ups and web services (WS Management) interfaces.

  • The SmartProxy can reside on the appliance or on an ESX Server. If not embedded in the Server, the SmartProxy can be deployed from the appliance. A SmartProxy agent must configured in each storage location, and must be visible to the appliance. The SmartProxy acts on behalf of the appliance communicating with it over HTTPS on standard port 443.

1.2. Requirements

To use ManageIQ, certain virtual hardware, database, and browser requirements must be met in your environment.

1.2.1. Virtual Hardware Requirements

The ManageIQ appliance requires the following virtual hardware at minimum:

  • 4 VCPUs

  • 12 GB RAM

  • 44 GB HDD + optional database disk

1.2.2. Database Requirements

Red Hat recommends allocating the virtual machine disk fully at the time of creation. Three main factors affect the size of your database over time:

  • Virtual Machine Count: the most important factor in the calculation of virtual machine database (VMDB) size over time.

  • Host Count: the number of hosts associated with the provider.

  • Storage Count: the number of individual storage elements as seen from the perspective of the provider or host. It is not the total number of virtual disks for all virtual machines.

Use the following table as a guideline to calculate minimum requirements for your database:


When enabling capacity and utilization for metrics gathering over a period of time, it is recommended that the VMDB size scale accordingly. Evaluate the number of instances in your provider inventory and storage duration requirements to plan for increased VMDB sizing requirements.

Use the following information to plan for your increased VMDB needs when working with metrics gathering:

  • Realtime metrics data are stored for 4 hours.

  • Rollup metrics data are stored for 6 months.





OpenStack Provider Instance

3 Realtime Metrics

181 (3 records * 60 minutes = 180 Realtime Metrics + 1 hourly Rollup Metric)

4,345 (3 records * 60 minutes * 24 hours =4320 Realtime Metrics + 1 daily Rollup Metric)

  • Metrics data storage times can be configured by editing the Advanced Settings.

1.2.3. Browser Requirements

To use ManageIQ, the following browser requirements must be met:

  • One of the following web browsers:

    • Google Chrome

    • Mozilla Firefox

    • Safari

    • Internet Explorer 10 or higher

1.2.4. Additional Requirements

Additionally, the following must be configured to use ManageIQ:

  • The ManageIQ appliance must already be installed and activated in your enterprise environment.

  • The SmartProxy must have visibility into the virtual machines and cloud instances that you want to control.

  • For more information, see SmartProxies in the ManageIQ General Configuration guide.

1.3. Terminology

The following terms are used throughout the documentation. Review them before proceeding.

Account Role

The level of access a user has to different parts and functions of the ManageIQ console. There are a variety of Account Roles, which can be assigned to users to restrict or allow access to parts of the console and virtual infrastructure.


An execution that is performed after a condition is evaluated.


ManageIQ alerts notify administrators and monitoring systems of critical configuration changes and threshold limits in the virtual environment. The notification can take the form of either an email or an SNMP trap.

Analysis Profile

A customized scan of hosts, virtual machines, or instances. You can collect information from categories, files, event logs, and registry entries.


A pool of on-demand and highly available computing resources. The usage of these resources are scaled depending on the user requirements and metered for cost.

ManageIQ Appliance

A virtual machine where the virtual management database (VMDB) and ManageIQ reside.

ManageIQ Console

A web-based interface into the ManageIQ appliance.

ManageIQ Role

A designation assigned to a ManageIQ server that defines what a ManageIQ server can do.

ManageIQ Server

The application that runs on the ManageIQ appliance and communicates with the SmartProxy and the VMDB.


Hosts that are grouped together to provide high availability and load balancing.


A control policy test triggered by an event, which determines a subsequent action.


Process run by the ManageIQ server which finds virtual machine and cloud providers.


The comparison of a virtual machine, instance, host, cluster to itself at different points in time.


A trigger to check a condition.

Event Monitor

Software on the ManageIQ appliance which monitors external providers for events and sends them to the ManageIQ server.


A computer running a hypervisor, capable of hosting and monitoring virtual machines. Supported hypervisors include RHV-H, VMware ESX hosts, Windows Hyper-V hosts.

Instance/Cloud Instance

A on-demand virtual machine based upon a predefined image and uses a scalable set of hardware resources such as CPU, memory, networking interfaces.

Managed/Registered VM

A virtual machine that is connected to a host and exists in the VMDB. Also, a template that is connected to a provider and exists in the VMDB. Note that templates cannot be connected to a host.

Managed/Unregistered VM

A virtual machine or template that resides on a repository or is no longer connected to a provider or host and exists in the VMDB. A virtual machine that was previously considered registered may become unregistered if the virtual machine was removed from provider inventory.


An external management system that ManageIQ integrates in order to collect data and perform operations.


A combination of an event, a condition, and an action used to manage a virtual machine.

Policy Profile

A set of policies.


A process run by the ManageIQ server which checks for relationships of the provider or host to other resources, such as storage locations, repositories, virtual machines, or instances. It also checks the power states of those resources.


A region is the collection of zones that share the same database for reporting and charting. A master region may be added to synchronize multiple VMDBs into one VMDB for higher-level reporting, providing a "single pane of glass" view.


A host, provider, instance, virtual machine, repository, or datastore.

Resource Pool

A group of virtual machines across which CPU and memory resources are allocated.


A place on a datastore resource which contains virtual machines.


The SmartProxy is a software agent that acts on behalf of the ManageIQ appliance to perform actions on hosts, providers, storage and virtual machines.

The SmartProxy can be configured to reside on the ManageIQ appliance or on an ESX server version. The SmartProxy can be deployed from the ManageIQ appliance, and provides visibility to the VMFS storage. Each storage location must have a SmartProxy with visibility to it. The SmartProxy acts on behalf of the ManageIQ appliance. If the SmartProxy is not embedded in the ManageIQ server, it communicates with the ManageIQ appliance over HTTPS on standard port 443.

SmartState Analysis

Process run by the SmartProxy which collects the details of a virtual machine or instance. Such details include accounts, drivers, network information, hardware, and security patches. This process is also run by the ManageIQ server on hosts and clusters. The data is stored in the VMDB.


Descriptors that allow you to create a customized, searchable index for the resources in your clouds and infrastructure.

Storage Location

A device, such as a VMware datastore, where digital information resides that is connected to a resource.


Descriptive terms defined by a ManageIQ user or the system used to categorize a resource.


A template is a copy of a preconfigured virtual machine, designed to capture installed software and software configurations, as well as the hardware configuration, of the original virtual machine.

Unmanaged Virtual Machine

Files discovered on a datastore that do not have a virtual machine associated with them in the VMDB. These files may be registered to a provider that the ManageIQ server does not have configuration information on. Possible causes may be that the provider has not been discovered or that the provider has been discovered, but no security credentials have been provided.

Virtual Machine

A software implementation of a system that functions similar to a physical machine. Virtual machines utilize the hardware infrastructure of a physical host, or a set of physical hosts, to provide a scalable and on-demand method of system provisioning.

Virtual Management Database (VMDB)

Database used by the ManageIQ appliance to store information about your resources, users, and anything else required to manage your virtual enterprise.

Virtual Thumbnail

An image in the web interface representing a resource, such as a provider or a virtual machine, showing the resource’s properties at a glance. Each virtual thumbnail is divided into quadrants, which provide information about the resource, such as its software and power state.

Worker Appliance

A ManageIQ appliance dedicated to a role other than user interface or database.


ManageIQ Infrastructure can be organized into zones to configure failover and to isolate traffic. Zones can be created based on your environment. Zones can be based on geographic location, network location, or function. When first started, new servers are put into the default zone.

2. Planning

This guide provides some general guidelines to planning a deployment on ManageIQ. This includes creating multiple regions containing ManageIQ appliances, CPU sizing recommendations, database sizing recommendations, and database configuration.

2.1. Regions

Regions are used for centralizing data which is collected from public and private virtualization environments. A region is ultimately represented as a single database for the VMDB. Regions are particularly useful when multiple geographical locations need to be managed, as they enable all the data collection to happen at each particular location and avoid data collection traffic across slow links between networks.

When multiple regions are being used, each with their own unique ID, a master region can be created to centralize the data of all the children regions into a single master database. To do this, configure each child region to replicate its data to the master region database (the recommended region is 99, though any number up to three digits will work). This parent and child region is a one-to-many relationship.

Regions can contain multiple zones, which in turn contain appliances. Zones are used for further segregating network traffic along with enabling failover configurations. Each appliance has the capability to be configured for a number of specialized server roles. These roles are limited to the zone containing the appliance they run on.

Only one failover type of each server role can run in a zone. If multiple appliances have the same failover role, the extras are used as backups that activate only if the primary appliance fails. Non-failover server roles can run on multiple appliances simultaneously in a zone, so resources can be adjusted according to the workload those roles are responsible for.

The following diagram demonstrates an example of the multiple regions working together in a ManageIQ environment.


The master appliance is located in Chicago and contains a master region and a subregion that manages the worker appliances. The Mahwah technology center contains a single subregion that manages two zones. Likewise, the San Diego technology center contains a single subregion managing a single zone.

  • Replicating a parent region to a higher-level parent is not supported.

  • Parent regions can be configured after the child regions are online.

The following diagram provides a closer look at a region:


In this region, we have several ManageIQ appliances acting as UI nodes and worker nodes. These worker nodes execute tasks on the providers in your environment. The region also uses a region database that reports to a master database on the main ManageIQ appliance. All appliances can connect to the authentication services (Active Directory, LDAP, Identity Management), outgoing mail (SMTP), and network services (SNMP).

ManageIQ can be configured in a highly available setup. In this case, all PostgreSQL instances must be running on a server that is deployed from the ManageIQ appliance. High availability is achieved by database replication between two or more database servers.

2.2. Roles

Server roles define what a server can do. Assigning different server roles to appliances can allow them to focus on specific functions. When planning a deployment, consider which roles to assign to each appliance. Some server roles are enabled by default in ManageIQ. Many server roles start worker processes.

Some roles are also dependent on other roles. For example, because the ManageIQ user interface relies on the API for access, the Web Services role must be enabled with the User Interface role for users to log in to the appliance. See Server Roles in General Configuration for details on each server role and its function.

2.2.1. Appliance Types

Depending on the needs of your environment, you may choose to separate worker and database tasks between appliances. One example of this is to implement a highly available configuration so that certain appliances are running the PostgreSQL database and providing failover. For more details about configuring high availability, see the High Availability Guide.

The following provides a summary of types of appliances:

Table 1. Appliance types
Appliance Type Database Workers Description

VMDB appliance



Worker processes are running, and it also hosts its own database that other appliances can connect to.

Non-database appliance



Worker processes are running on the appliance, but it does not host a database. The appliance is connected to an external database.

Dedicated-database appliance



This appliance contains no worker processes, only a database for other appliances to connect to.

Non-ManageIQ VM with database



This appliance contains no worker processes, only a database. As this is not a ManageIQ appliance, you cannot run any ManageIQ rake tasks on it. This appliance must be migrated using a non-database appliance that is pointed at it, using it as a database.

2.3. Centralized Administration

ManageIQ includes centralized administration capabilities, where certain operations can be initiated from the global region and processed and executed on remote regions. From the global region, you can also access the user interfaces of virtual machines residing in remote regions.

The following life cycle management operations can be initiated from the global region using centralized administration:

  • Virtual machine provisioning

  • Virtual machine power operations

  • Virtual machine retirement

  • Virtual machine reconfiguration

  • Service provisioning

  • Service retirement

  • Opening a virtual machine in the remote region

ManageIQ life cycle operations other than those listed above are not supported. Centralized administration capabilities are not supported from the Self Service user interface.

With centralized administration, the remote_queue_put leverages a new system-to-system REST API request to forward the original request to the remote region. This request is put in the local queue in the remote region, which is then delivered by a worker in the remote region as if it was queued there all along. As a result, a ManageIQ operator in the global region can be seen as provisioning on behalf of a remote region.

Centralized Administration Diagram

The operations initiated from the global region are subject to the role-based access control (RBAC) rules on the remote region. The user in the remote region which matches the logged-in user’s user ID will be used to enforce RBAC in the target region. The operation will fail on the remote system if the user does not have the required permissions.

In this version of ManageIQ, configuring database replication automatically enables centralized configuration, eliminating the need for further configuration.

2.4. Tenancy

ManageIQ supports multitenancy. Tenants can be totally separate or they can be in a parent-child or peer relationship. Tenants in a relationship can share or inherit a certain configuration. You can subdivide and create child tenants and they, in turn, can have child tenants, and so on. The ability to have multi-level (nested) tenants in a hierarchy enables those at the bottom to inherit permissions from those above. This configuration allows for granular user permissions to be set on specific tenants.

A tenant can also contain a self-contained child tenant known as a project. A project cannot have a child tenant, but is useful for allocating resources to a small group or team within a larger organization.

If you do not add any additional tenants, all resources and user accounts are contained in a single base tenant which is your ManageIQ appliance itself. In ManageIQ, is sometimes referred as tenant zero.

Tenancy Account Roles

In ManageIQ, the following two account roles are associated with tenancy:

  • Tenant administrator

  • Tenant quota administrator

Tenant administrator and tenant quota administrator roles are like administrator and super administrator. These roles are not limited to the tenant upon which they are acting and act across all tenants, and therefore should be considered privileged users. These are not roles inside a tenant.

Tenancy Models

The following two approaches exist for tenancy planning:

  • Tenantless - You can create a single large tenant, sometimes referred as tenant zero, and perform all your operations in there without any subdivision of resources or user accounts.

  • Enterprise model - A common scenario is to create a single tenant, and then subdivide it based on the structures or departments within your organization. Those departments are then able to further subdivide their resources into distinct projects. With this model, you have a single URL for user access, while still having the ability to divide resources into nested hierarchical tenants.

Tenancy Configuration

You can create and configure tenancy using the ManageIQ user interface in the same place you set up users, groups and roles by selecting Configuration from the settings menu, and then clicking on the Access Control accordion.

Tenancy in Automation

One of the features of tenancy is that each tenant can have its own automate domain. Tenant-based domains can help in several use cases, such as if you have:

  • groups that need their own naming routines

  • varying types of approval needs

  • departments that use different end ticketing systems

  • a customer who is a holding company or centralized IT organization for managing different business units

Just like standard domains are nested, you can also add automate domains that are nested at the tenant level.

Tenancy Quota and Reporting

You can allocate and enforce quotas for the following attributes:

  • Virtual CPUs

  • Memory in GB

  • Storage in GB

  • Number of virtual machines

  • Number of templates

You can generate or schedule a report for Tenant Quotas similar to other reports.

Currently, in tenant quota reports you will see all of the tenants but there is no nesting information available by parent and child tenants.


In the following example of a tenant quota report, DevOps Teams is a parent tenant and Team Alpha and Team Bravo are child tenants.