WilliamLam.com

Quick Tip - vSphere MOB is disabled by default in ESXi 6.0

by // 9 Comments

Yesterday, I noticed an interesting error when trying to connect directly to the vSphere MOB on an ESXi 6.0 host. The following error message was displayed on the browser:

503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE:0x4bf02038] _serverNamespace = /mob _isRedirect = false _pipeName =/var/run/vmware/proxy-mob)

vsphere-6.0-mob-disable-0
This was the first time I had noticed this as I normally use the vSphere MOB for debugging purposes or exploring the vSphere API. The vSphere MOB is also a quick an handy way to unregister vSphere Plugins when connecting to vCenter Server.

I did some further investigation and it turns out that in vSphere 6.0, the vSphere MOB will be disabled by default on an ESXi 6.0 host. The reason for this is to provide security hardening out of the box for ESXi versus having an administrator harden after the fact. If you are familiar with the vSphere Security Hardening Guides, you will recall one of the guidelines is to disable the vSphere MOB on an ESXi host and with vSphere 6.0, this is now done automatically for you. This information will also be documented as part of the vSphere 6.0 documentation when it GAs.

If you still need to access the vSphere MOB on an ESXi how, this of course can be re-enabled from the default. There is also a new ESXi Advanced Setting called Config.HostAgent.plugins.solo.enableMob which easily controls whether the vSphere MOB is enabled or disabled as seen in the screenshot below.

vsphere-6.0-mob-disable-1
You have the option of using either the vSphere C# Client as shown in the screenshot above or the vSphere Web Client to configure the ESXi Advanced Setting:

vsphere-6.0-mob-disable-3
You can also configure this property using the vim-cmd in the ESXi Shell.

Listing the ESXi Advanced Setting using vim-cmd:

vim-cmd hostsvc/advopt/view Config.HostAgent.plugins.solo.enableMob

vsphere-6.0-mob-disable-2
Configuring the ESXi Advanced Setting to true:

vim-cmd hostsvc/advopt/update Config.HostAgent.plugins.solo.enableMob bool true

If you prefer to automate this using PowerCLI or vSphere API, this can also be done. Below are two examples using the Get-VmHostAdvancedConfiguration and Set-VMHostAdvancedConfiguration PowerCLI cmdlets.

Listing the ESXi Advanced Setting using PowerCLI:

Get-VMHost 192.168.1.200 | Get-VmHostAdvancedConfiguration -Name Config.HostAgent.plugins.solo.enableMob | Format-List

vsphere-6.0-mob-disable-4.png
Configuring the ESXi Advanced Setting to true:

Get-VMHost 192.168.1.200 | Set-VMHostAdvancedConfiguration -Name Config.HostAgent.plugins.solo.enableMob  -Value True

If you rely on using the vSphere MOB on ESXi and would like this to be your default, I would recommend you update either your ESXi Kickstart or Host Profile to include this additional configuration so that you do not get like I did 🙂 If you only need to use the vSphere MOB on occasion or do not have a use for it at all, then leaving the default is sufficient.

Cool Docker Container for VMware Utilities

by // 11 Comments

Last week during lunch I learned about a cool little project that my colleague Alan Renouf was working on in his spare time at night. He was interested in learning more about Docker and thought the best way to learn about something new was by using it, which is normally how I learn as well. He came up with a nifty idea to create a Docker Image that would house a bunch of useful VMware tools which included several VMware open source projects as well.

UPDATE (11/23/16) - The Docker Container has now been updated with all the latest vSphere 6.5 SDK/CLI/Tools. We also plan to make this new version of the Docker Image available on Docker Hub, so stay tuned for those details shortly.

Some customers in the past have built similar offerings by using a free VMware Appliance called vMA (vSphere Management Assistance). vMA is nothing more than a stripped down version of SLES that has the vSphere CLI (vCLI) pre-installed. In my opinion, vMA is pretty limited and you can not install additional packages without voiding official support. Even if you decide to ignore support and install custom packages, I have often seen this break existing dependencies. When I talk to customers about their use of vMA, most used it because it was just there, but the majority prefer to use their own harden distribution of Linux and install their own admin utilities and packages which may also include non-VMware tools.

I personally have no problem building my own VM appliance that contains the various VMware packages, utilities and scripts that I use on a daily basis. However, not everyone is comfortable with this idea. Wow could this be further simplified and automated? Well, enter vmware-utils a Docker Image that allows you to automatically build a new image that contains some of the most popular and widely used VMware Utilities.

I wanted to enhance the awesome work that Alan had done with couple more VMware open source tools that I thought might be useful to VMware Administrators, which I actually wrote about here in my List of VMware CLIs, SDKS and DevOps Tools article. I have already submitted a pull request for my changes here. If there are other tools or packages you think that are useful and wish to contribute back, feel free to clone the repository and submit a pull request!

The latest vmware-utils now contains the following:

  • vSphere CLI 6.5
  • PowerCLI Core 1.0
  • vSphere Management SDK 6.5
  • vSphere SDK for Perl 6.5
  • vSphere SDK for Ruby (rbvmomi)
  • vSphere SDK for Python (pyvmomi)
  • vSphere Automation SDK for Ruby 6.5
  • vSphere Automation SDK for Python 6.5
  • vSphere Automation SDK for Perl 6.5
  • vSphere Automation SDK for Java 6.5
  • VSAN Management SDK for Ruby 6.5
  • VSAN Management SDK for Python 6.5
  • VSAN Management SDK for Java 6.5
  • VSAN Management SDK for Perl 6.5
  • Virtual Disk Development Kit (VDDK) 6.5
  • OVFTool 4.2
  • PowerCLI Community Repository
  • PowerCLI Core Docker Container Samples
  • William Lam's vGhetto Script Repository
  • Pyvmomi Community Samples
  • Docker Client v1.12.3
  • Docker Compose v1.8.1

For those of you who are new to Docker, a great way to quickly get started is by using an awesome tool called boot2docker which allows you to run Docker Containers on either a Windows or Mac OS X system. This also helps remove any barriers if you do not want to setup a Linux machine to get Docker of if you are like me, running on Mac OS X and rather not have to spin up a VM just to use Docker. Below are the steps on getting boot2docker working and building your own vmware-utils Docker Image.

Step 1 - Download the Docker Client for your specific OS (Windows, Linux or Mac OS X)

Step 2 - Take a look at the vmware-utils README, I spent some time updating it to make it more consumable for new users of Docker and follow the "How" section which will have you download the 4 VMware utilities as well as the vmware-utils DockerFile which we will need to build the Docker Container.

Step 3 - Create a directory and place all files into that directory. In this example, I have called the directory "vmware-utils".

vmware-utils-docker-container-0
Step 3 - We are now ready to build our vmware-utils Docker Image. Change into the "vmware-utils" directory that contains the files you downloaded earlier we will need to specify a "tag" for our image as part of the build command. In this example, I have called my image "lamw/vmware-utils" and to start the build process run the following command:

docker build -t lamw/vmware-utils .

Step 4 - The build itself may take some time depending on the speed of your internet connection. You will know when it has successfully completed when it states "Successfully built X" where X will be some unique ID as seen in the screenshot below.

vmware-utils-docker-container-4
Step 5 - Once the Docker Image has finished building, you can then run and connect to the Container by running the following command:

docker run --rm -it lamw/vmware-utils

vmware-utils-docker-container-5
At this point, you are now logged into the vmware-utils Docker Container that you have just built! It contains all the VMware Utilities that I have listed earlier and for more details on what has been installed and the location of the utilities, take a look at the vmware-utils Github documentation. If there are other tools you would like to see, feel free to contribute back by cloning the repository and submitting a pull request. I am definitely looking forward to seeing how this project evolves and providing a more dynamic way of creating a vMA-like experience without the current limitations. Keep up the awesome work Alan!

Handy new vSphere 6.0 APIs to be aware of

by // 2 Comments

The number of new platform capabilities and features in vSphere 6.0 is by far the largest that I have seen in awhile. One of the things I like to do with each new vSphere release is review all the new APIs that are now available to be consumed. Here are some of the new vSphere APIs that I think are interesting from an Automation point of view for vSphere 6 that I think folks should be aware of. I know for myself, there are several new vSphere APIs that I have personally been waiting for quite some time and I am glad to finally see them available for our customers, developers and partners. Depending on my free time, I may go into more details on how some of these new APIs work and provide some sample codes.

If you would like to see the complete list of new vSphere 6.0 APIs, be sure to check out the vSphere 6.0 API Reference Guide (available when vSphere 6.0 GA's which is Q1 of 2015) which has a "What's New" section on all the new Managed Objects, Methods, Properties, etc.

CertificateManager - API to deploy and refresh VMCA (VMware Certificate Authority) SSL Certificates for ESXi hosts

  • CertMgrRefreshCACertificatesAndCRLs_Task
  • CertMgrRefreshCertificates_Task
  • CertMgrRevokeCertificates_Task

ClusterEVCManager - API to finally manage and configure EVC (Enhanced vMotion Compatibility) for a vSphere Cluster

  • CheckAddHostEvc_Task
  • CheckConfigureEvcMode_Task
  • ConfigureEvcMode_Task
  • DisableEvcMode_Task

IoFilterManager - API to manage the new IO Filter capability

  • InstallIoFilter_Task
  • QueryDisksUsingFilter
  • QueryIoFilterInfo
  • QueryIoFilterIssues
  • ResolveInstallationErrorsOnCluster_Task
  • ResolveInstallationErrorsOnHost_Task
  • UninstallIoFilter_Task
  • UpgradeIoFilter_Task

ClusterComputeResource - API to quickly lookup all the affinity and anti-affinity rules for a VM

  • FindRulesForVm

VSAN 6.0 / VVOL / NFS v4.1 APIs - Please take a look here

HostStorageSystem 

  • Marking a Disk device as either Local or Remote
    • MarkAsLocal_Task
    • MarkAsNonLocal_Task
  • Marking a Disk device as either an SSD or Magnetic Disk
    • MarkAsNonSsd_Task
    • MarkAsSsd_Task
  • Turn On of Off the LED on supported Disk device
    • TurnDiskLocatorLedOn_Task
    • TurnDiskLocatorLedOff_Task
  • VMFS UNMAP operation
    • UnmapVmfsVolumeEx_Task

HostCertificateManager - API to manage and update custom CA signed SSL Certificates on ESXi hosts

  • GenerateCertificateSigningRequest
  • GenerateCertificateSigningRequestByDn
  • InstallServerCertificate
  • ListCACertificateRevocationLists
  • ListCACertificates
  • ReplaceCACertificatesAndCRLs

HostActiveDirectoryAuthentication - API to manage Smart Card Authentication on ESXi hosts

  • DisableSmartCardAuthentication
  • EnableSmartCardAuthentication
  • InstallSmartCardTrustAnchor
  • ListSmartCardTrustAnchors
  • RemoveSmartCardTrustAnchor
  • RemoveSmartCardTrustAnchorByFingerprint
  • ReplaceSmartCardTrustAnchors

HostAccessManager - API to manage new Lockdown Mode capabilities and modify System Users

  • ChangeAccessMode
  • ChangeLockdownMode
  • QueryLockdownExceptions
  • QuerySystemUsers
  • RetrieveHostAccessControlEntries
  • UpdateLockdownExceptions
  • UpdateSystemUsers

VirtualMachine

  • Enable SMP-FT for VM
    • CreateSecondaryVMEx_Task
  • Send NMI (Non-Masking Interrupt) request to VM
    • SendNMI

GuestWindowsRegistryManager - API to manage registry keys for Windows Guest OSes

  • CreateRegistryKeyInGuest
  • DeleteRegistryKeyInGuest
  • DeleteRegistryValueInGuest
  • ListRegistryKeysInGuest
  • ListRegistryValuesInGuest
  • SetRegistryValueInGuest