WilliamLam.com

Search Results for: vsphere MOB

Automating the retrieval & reclamation of VM MAC address blocklist for vCenter Server using the vSphere MOB

by // Leave a Comment

As shared in this blog post HERE and HERE, vCenter Server has a built-in mechanism for managing VM MAC addresses where the original VM has been migrated to a different vCenter Server (regardless of the vCenter SSO Domain) using a VM MAC Address blocklist.

The VM MAC address blocklist functionality is still only available using a private API and the only way to find out what VM MAC addresses are currently in the list is by interactively using the vSphere MOB and the fetchRelocatedMACAddress API.

Recently, I had a question from a customer who was looking to clear the VM MAC address blocklist and was wondering if that was possible and whether there was an API to perform this operation?

[Read more...]

How to automate vSphere MOB operations using PowerShell?

by // 5 Comments

A couple of weeks back I was investigating something that involved the use of the vSphere Managed Object Browser (MOB) and I needed to automate a particular operation. For those of you not familiar with the vSphere MOB, it is a UI debugging tool that allows you to visualize and invoke vSphere APIs using just a web browser. The vSphere MOB is available on both vCenter Server and ESXi and uses the underlying vSphere API. Outside of learning about the vSphere APIs and potentially for troubleshooting purposes, there really is no good reason to be directly interacting with the vSphere MOB on a regular basis. Customers can use any one of the many vSphere SDK/CLIs to easily automate and interact with the vSphere API.

Having said that, there may be cases where you might want to invoke a specific operation using the vSphere MOB, such as private API for example. Obviously, using any private/internal APIs is not officially supported by VMware and their use will be at your own risk. Nonetheless, I had a specific operation that I needed to call from the vSphere MOB and wanted to do so using PowerShell. Several years back I had demonstrated how you could invoke the vSphere MOB using Python but I could not find any PowerShell examples that actually worked. I figured this would be a good learning opportunity for myself and probably something I or others could benefit in the future.

To provide a concrete example, I will be invoking a supported vSphere API called the QueryOptions which is used for accessing either a vCenter Server or ESXi Advanced Settings. For our example, I will be connecting to the vCenter Server's MOB and will be querying for a specific vCenter Server Advanced Setting. If we were to do this manually in the vSphere MOB, we would first open a web browser and login to the following URL: https://[VC-SERVER]/mob/?moid=VpxSettings&method=queryView

automate-vsphere-mob-using-powercli
If you wanted to see all advanced settings, you would leave the "name" parameter blank. For our example, we will query for the VirtualCenter.InstanceName property as shown in the screenshot above and then click on the "Invoke Method" to execute the vSphere API operation. If successful, it should display the results which in our case is the IP Address of my vCenter Server. Pretty straight forward vSphere MOB example. OK, onto automating this from PowerShell. I have created a sample PowerShell script called automate-vsphere-mob.ps1 which you will need to edit and provide your vCenter Server Hostname/IP Address and the vCenter Server credentials (can be read-only) since we are not performing any write operations.

Here are some more specific details on what is happening in the script for those interested:

  1. Authenticate to the vSphere MOB URL that you wish to invoke using an HTTP GET operation and storing the session into a variable named vmware (Line 28-29)
  2. Extract the hidden vmware-session-nonce property used to prevent Cross-Site Request Forgery (CSRF) (Line 31-40)
  3. Create the body request which must include the vmware-session-nounce property along with the vSphere API payload (Line 42-45)
  4. Invoke the actual vSphere API call using an HTTP POST along with the existing session from Step 1 and body payload
  5. Process the results (this will be specific to API call) and profit! (Line 50-59)

If you now run the script, you will see that the result is exactly what we saw from interactively using the vSphere MOB. Hopefully this will be useful for anyone who may have a need to automate against the vSphere MOB. For those curious on what I was investigating with the vSphere MOB, stay tuned for more details 🙂

Quick Tip - vSphere MOB is disabled by default in ESXi 6.0

by // 9 Comments

Yesterday, I noticed an interesting error when trying to connect directly to the vSphere MOB on an ESXi 6.0 host. The following error message was displayed on the browser:

503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE:0x4bf02038] _serverNamespace = /mob _isRedirect = false _pipeName =/var/run/vmware/proxy-mob)

vsphere-6.0-mob-disable-0
This was the first time I had noticed this as I normally use the vSphere MOB for debugging purposes or exploring the vSphere API. The vSphere MOB is also a quick an handy way to unregister vSphere Plugins when connecting to vCenter Server.

I did some further investigation and it turns out that in vSphere 6.0, the vSphere MOB will be disabled by default on an ESXi 6.0 host. The reason for this is to provide security hardening out of the box for ESXi versus having an administrator harden after the fact. If you are familiar with the vSphere Security Hardening Guides, you will recall one of the guidelines is to disable the vSphere MOB on an ESXi host and with vSphere 6.0, this is now done automatically for you. This information will also be documented as part of the vSphere 6.0 documentation when it GAs.

If you still need to access the vSphere MOB on an ESXi how, this of course can be re-enabled from the default. There is also a new ESXi Advanced Setting called Config.HostAgent.plugins.solo.enableMob which easily controls whether the vSphere MOB is enabled or disabled as seen in the screenshot below.

vsphere-6.0-mob-disable-1
You have the option of using either the vSphere C# Client as shown in the screenshot above or the vSphere Web Client to configure the ESXi Advanced Setting:

vsphere-6.0-mob-disable-3
You can also configure this property using the vim-cmd in the ESXi Shell.

Listing the ESXi Advanced Setting using vim-cmd:

vim-cmd hostsvc/advopt/view Config.HostAgent.plugins.solo.enableMob

vsphere-6.0-mob-disable-2
Configuring the ESXi Advanced Setting to true:

vim-cmd hostsvc/advopt/update Config.HostAgent.plugins.solo.enableMob bool true

If you prefer to automate this using PowerCLI or vSphere API, this can also be done. Below are two examples using the Get-VmHostAdvancedConfiguration and Set-VMHostAdvancedConfiguration PowerCLI cmdlets.

Listing the ESXi Advanced Setting using PowerCLI:

Get-VMHost 192.168.1.200 | Get-VmHostAdvancedConfiguration -Name Config.HostAgent.plugins.solo.enableMob | Format-List

vsphere-6.0-mob-disable-4.png
Configuring the ESXi Advanced Setting to true:

Get-VMHost 192.168.1.200 | Set-VMHostAdvancedConfiguration -Name Config.HostAgent.plugins.solo.enableMob  -Value True

If you rely on using the vSphere MOB on ESXi and would like this to be your default, I would recommend you update either your ESXi Kickstart or Host Profile to include this additional configuration so that you do not get like I did 🙂 If you only need to use the vSphere MOB on occasion or do not have a use for it at all, then leaving the default is sufficient.