WilliamLam.com

esxcli Part1 - What is esxcli?

06.16.2010 by William Lam // 8 Comments

esxcli is a new CLI (commandline interface) framework in vSphere that provides a modular architecture for various components called namespaces running in the VMkernel. Some of these namespaces are nmp (Native Multipathing Plugin) for the new VMware Pluggable Storage Architecture, corestorage for claim rules used for masking certain devices to a host, and swiscsi for managing iSCSI interface.

esxcli can be executed within the classic ESX Service Console, the unsupported Busybox console in ESXi or using the vCLI's remote version of esxcli. There are currently 3 namespaces (nmp,corestorage and swiscsi) with the current release of vSphere and we may see others introduced in future releases of vSphere. One important thing to note is that because these modules run within the host, using the vCLI's version of esxcli, you will need to authenticate to the host first to see what modules will be available for access. Currently, esxcli is not vCenter aware, meaning you must connect to a specific ESX or ESXi host when performing an operation.

Here is an example of esxcli executed without connecting to the host first:

Here is an example of esxcli being executed after connecting to the host:

When invoking the esxcli command, you may also notice an esxcli.log is generated. If the command is successfully executed, the log will generally be empty, but if there was an error you may want to take a look at esxcli.log if the command does not provide any output to the screen.

Here is an example of using an auth configuration file and because of the case sensitivity of esxcli, the VI_PROTOCOL entry is failing with HTTPS vs https:

[[email protected] ~]$ cat esxcli.log

[root CRITICAL] Exception:Unsupported protocol
[root CRITICAL] Traceback (most recent call last):
File "esxcli.py", line 387, in _GetStub
File "/vmware/esx40-dev/esx40/bora/vim/py/esxcli/Session.py", line 239, in stub
File "/vmware/esx40-dev/esx40/bora/vim/py/esxcli/Session.py", line 299, in Login
Exception: Unsupported protocol

There is not a whole lot of information available to the public about esxcli. From what I understand after talking to a few VMware engineers, esxcli has an API, but it is currently not exposed to the public for consumption. Not only is there an API, but 3rd party providers or users can potentially create their own modules and install it using the VIB format also known as vSphere Installation Bundle.

Some well known packages that are currently being distributed in the VIB format today are: Cisco Nexus 1000V VEM, HP Insight Manager Agent, EMC PowerPathV/E, Xsigo ESX IB drivers and VMware ESX/ESXi/vMA updates, to name a few. Hopefully in the future, VMware will expose the esxcli API functionality to the developer ecosystem.

Here are a few blog posts with detail examples on using esxcli with the various namespaces:

Stay tuned for Part2 and Part3 where we will look at automating esxcli operations using both the vSphere SDK for Perl and Windows PowerShell!

Is the release vSphere 4.0 Update 2 imminent?

06.10.2010 by William Lam // Leave a Comment

There's already been some chatter in the community regarding vSphere 4.0 Update 2, including a VMware KB article:

http://kb.vmware.com/kb/1021023
http://www.yellow-bricks.com/2010/03/30/whats-the-point-of-setting-iops1/
http://www.vladan.fr/vsphere-4-update-2-is-next/
http://virtualization.info/en/news/2010/03/vsphere-40-update-2-to-add-new-ha.html
http://www.yellow-bricks.com/2010/03/29/cool-new-ha-feature-coming-up-to-prevent-a-split-brain-situation/

While recently downloading a copy of ESX 4.0u1 for testing, I noticed the download URL was the following:

http://www.vmware.com/downloads/download.do?downloadGroup=ESX40U1

The link will generally take you to landing page to login if you have not ready logged in:

I thought I try to plug-in "2" and see what happens, to my surprise it actually displayed some interesting text:

http://www.vmware.com/downloads/download.do?downloadGroup=ESX40U2

When you login, it will throw an error that the download group does not exists.

However, if you tried another invalid entry say "ESX40U3", you'll get an error all together such as the following even before logging in:

http://www.vmware.com/downloads/download.do?downloadGroup=ESX40U3

So does this mean vSphere 4.0 Update 2 about to be released? Your guess is as good as mine, we will just have to wait and see.

How to remove stale targets from vMA

06.10.2010 by William Lam // Leave a Comment

If you have used vMA's vi-fastpass authentication, you will know how easy it is to setup using vifp utility which supports both ESX/ESXi and vCenter targets.

Here's an example of adding ESXi target:

[[email protected] ~]$ sudo vifp addserver esxi3-1.primp-industries.com
*protected email*'s password:

Here's an example of the listing of the available fastpass targets:

[[email protected] ~]$ sudo vifp listservers
esxi3-1.primp-industries.com ESXi

During this process, two accounts (vi-userXX & vi-adminXX) are created on the target host with a password that vMA management creates and caches it locally in an obfuscated but not encrypted form. This will allow you to initialize a fastpass target using vifpinit utility and execute commands against the target host without having to manually type in the credentials.

The fastpass targets are stored in 2 configuration files on vMA:

1) The obfuscated cached credentials is stored in /home/vi-admin/.vmware/credstore/vicredentials.xml

If you cat out the contents, it will look something like this:

   esxi3-1.primp-industries.com
   vi-admin00
   XXXXXXXXXXXXXXXXXXXXXXX

2) A More detailed configuration for each of the targets along is stored in /etc/vmware/viconfig/viconfig.xml

If you cat out the contents, it will look something like this:

   esxi3-1.primp-industries.com
   443
   524d18f6-8bbb-2c5f-a366-6d191813fbe3
   https
   /sdk
   vi-admin00
   vi-user00
   true
   ESX
   1276121961

What happens when you rebuild your host, or the system is no longer available because it has been decommissioned or being used for another purpose? vMA will still think it's managing the host and the fastpass credentials will no longer function as the account is no longer valid the host. If you try to remove the old target, you will see the following error:

[[email protected] ~]$ sudo vifp removeserver esxi3-1.primp-industries.com
*protected email*'s password:

Error: Failed to connect. Please make sure the server is up and is of supported version.

The reason this occurs is that vMA is unable to login to the host and remove the two accounts that were initially created and fails to remove the target. What you will need to do is actually pass in an additional parameter to vifp command "--force" which will forcefully remove the target from vMA management. This command actually does not require the user to enter the correct password to the host even if it is still reachable by vMA. By specifying this flag and providing some input when prompted for the password, vMA will purge the target from it is system.

[[email protected] ~]$ sudo vifp removeserver esxi3-1.primp-industries.com --force
*protected email*'s password:

After a target is removed from vMA, it is also removed from the two above files. You do not manually tweak either of these configuration files or it may lead to issues on your vMA host.

Best practice for decommissioning a host that has been added to vMA's management is the following:

Disable vilogger if you've enabled it for the host
Remove target from vMA management
Verify the host is no longer being managed by vMA
Decomission host