ESXi – Page 37

Quick Tip - vSphere MOB is disabled by default in ESXi 6.0

02.24.2015 by William Lam // 9 Comments

Yesterday, I noticed an interesting error when trying to connect directly to the vSphere MOB on an ESXi 6.0 host. The following error message was displayed on the browser:

503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE:0x4bf02038] _serverNamespace = /mob _isRedirect = false _pipeName =/var/run/vmware/proxy-mob)

This was the first time I had noticed this as I normally use the vSphere MOB for debugging purposes or exploring the vSphere API. The vSphere MOB is also a quick an handy way to unregister vSphere Plugins when connecting to vCenter Server.

I did some further investigation and it turns out that in vSphere 6.0, the vSphere MOB will be disabled by default on an ESXi 6.0 host. The reason for this is to provide security hardening out of the box for ESXi versus having an administrator harden after the fact. If you are familiar with the vSphere Security Hardening Guides, you will recall one of the guidelines is to disable the vSphere MOB on an ESXi host and with vSphere 6.0, this is now done automatically for you. This information will also be documented as part of the vSphere 6.0 documentation when it GAs.

If you still need to access the vSphere MOB on an ESXi how, this of course can be re-enabled from the default. There is also a new ESXi Advanced Setting called Config.HostAgent.plugins.solo.enableMob which easily controls whether the vSphere MOB is enabled or disabled as seen in the screenshot below.

You have the option of using either the vSphere C# Client as shown in the screenshot above or the vSphere Web Client to configure the ESXi Advanced Setting:

You can also configure this property using the vim-cmd in the ESXi Shell.

Listing the ESXi Advanced Setting using vim-cmd:

vim-cmd hostsvc/advopt/view Config.HostAgent.plugins.solo.enableMob

Configuring the ESXi Advanced Setting to true:

vim-cmd hostsvc/advopt/update Config.HostAgent.plugins.solo.enableMob bool true

If you prefer to automate this using PowerCLI or vSphere API, this can also be done. Below are two examples using the Get-VmHostAdvancedConfiguration and Set-VMHostAdvancedConfiguration PowerCLI cmdlets.

Listing the ESXi Advanced Setting using PowerCLI:

Get-VMHost 192.168.1.200 | Get-VmHostAdvancedConfiguration -Name Config.HostAgent.plugins.solo.enableMob | Format-List

Configuring the ESXi Advanced Setting to true:

Get-VMHost 192.168.1.200 | Set-VMHostAdvancedConfiguration -Name Config.HostAgent.plugins.solo.enableMob -Value True

If you rely on using the vSphere MOB on ESXi and would like this to be your default, I would recommend you update either your ESXi Kickstart or Host Profile to include this additional configuration so that you do not get like I did 🙂 If you only need to use the vSphere MOB on occasion or do not have a use for it at all, then leaving the default is sufficient.

Quick Tip - "poor mans" history command in ESXi

02.19.2015 by William Lam // 1 Comment

When I am logged into the ESXi Shell, I often forget that history command is not implemented in ESXi which can be helpful when recalling the list of operations that had been executed in the past. I especially rely on the history command when I am tinkering around with things and once I am successful with the end result, I can easily go back and see the exact steps I took. Recently, I tried running history command only to be let down again as I forgot it was not implemented 🙁

I was thinking there had to be a way on ESXi and then it hit me! Starting with ESXi 5.1, all operations executed in ESXi Shell and Console were automatically logged to /var/log/shell.log. The information I was looking was there but instead of having to manually view the contents of the log, I could simply create an "alias" to a history command which could display the last N-number of entries using the tail command.

Here is an example alias to "history" command to view the last 50 lines in /var/log/shell.log:

alias history="tail -50 /var/log/shell.log"

To make the alias permanent and persist across reboots, we just need to add the entry to /etc/profile.local

Now, I can run the history command on ESXi and get exactly what I want.

Note: Entries in /var/log/shell.log contain more operations executed by all users. You can further refine the aliased command to search only for the current user, such as the root account.

CoreOS is now available as OVA in Alpha channel

01.08.2015 by William Lam // 11 Comments

It looks like the folks over at CoreOS have now also produced an OVA image which can be easily imported into a vSphere or even vCloud Air environment. Previously, it took a few addition steps to convert the "hosted" disk image originally meant for VMware Fusion/Workstation to properly work in a vSphere/vCloud Air based environment. The CoreOS OVA is currently only available in the CoreOS Alpha channel for the "Production" image which also includes VMware's open-vm-tools and the latest release as of today is CoreOS 554.0.0.

You can using either the vSphere C# or vSphere Web Client to import the OVA or you can automate this simply by using command-line via ovftool. Here's an example snippet that you can run directly against an ESXi host:

/Applications/VMware\ OVF\ Tool/ovftool \
        --name=CoreOS \
        "--net:VM Network=VM Network" \
        --datastore=mini-local-datastore-2 \
        --diskMode=thin \
        'http://alpha.release.core-os.net/amd64-usr/554.0.0/coreos_production_vmware_ova.ova' \
        'vi://root:*protected email*'

You can also import the CoreOS OVA into vCloud Air's but you will need to connect into the vCloud Director interface to upload or you can also use ovftool. For more details on how to import using ovftool, check out their documentation here.

Here's a screenshot of deploying CoreOS from a vCloud Air Catalog:

The "Production" CoreOS image does not contain insecure SSH keys as the "insecure" image and so you will still need to create a Cloud Config ISO if you wish to further customize the image including login credentials. You can take a look at the script I had created for deploying CoreOS from the Stable channel and for more details check out the Cloud Config documentation as well.