A seemingly minor point that for non-ESXi users can effectively lock you out of remotely logging into your ESX hosts Service Console is buried away in the “NOTES” section of VMware’s vSphere 4.1 upgrade guide. It took me a while to work out why I was no longer able to login with my account via SSH after upgrading from 4.0 to 4.1, so I thought it was worth mentioning incase anyone else see’s this same problem (although it’s by design rather than a bug, another sign of the forthcoming enforced move to ESXi I would say).
Tucked away on the bottom of page 65 of the guide is the following:
“NOTE After upgrading to ESX 4.1, only the Administrator user has access to the service console. To grant service console access to other users after the upgrade, consider granting the Administrator permissions to other users.”
So the end result, if you follow best practices and have root login via SSH disabled, you’ll not be able to remotely login to your Service Console until your previously unprivileged user is added to the root (or “Administrators” if you’re using AD Authentication) group. In fact you won’t even be able to login into the Service Console locally with a non-root user, but you will be able to log in as root.
Looking at the configuration files the change that has caused this is in /etc/security/access.conf, in ESX 4.1 only root, vpxuser, and vslauser have login access by default. This is also true for new installs but is less obvious than during an upgrade where you might have previously set up and used non-root users for Service Console SSH logins. The last entry in the file -:ALL:ALL is what denies other uses login access, you can change this to +:ALL:ALL to allow all users to login again but unfortunately this change does not persist across reboots so it’s not really a viable solution without a script to make the change after every boot, which is rather ugly.
The only permanent solution if you don’t want to use AD authentication is to add your user to the “root” group on the service console. You can do this in two ways, either using the vSphere Client to connect directly to the host as root – selecting the Local Users & Groups tab and adding your user to the “root” group, or from the Service Console you can use the command “usermod -a -G 0 username” (in Linux the “root” group is represented by “0” by default, and this is the case for the ESX Service Console too). This is not 100% ideal as this user now has more file access privileges than you would want for an unprivileged user but it is better than permitting root login via SSH – just keep those username and passwords safe!
I hope this saves some people the time I spent head-scratching trying to work out why my user passwords all no longer seemed to work no matter what I set them too. Enjoy the Service Console while it lasts because I have a strong hunch it won’t be with us for too much longer!
VMware have been touting all over twitter today about an issue but not actually informing us what it was, there have been rather cryptic warning about about a Issue with ESX U2 and VDI, now these warning have been going out since early morning UK time and it is now 8pm UK time and finally:
Continue reading “Warning ESX U2 and PCoIP”
It is that time again, here is the latest security advisory from VMware. it also seems to add more credence to Wil’s post on the future of VMware Server 2.0 as once again the status is affected,but “not being fixed at this time”
Continue reading “VMware Security Advisory:- VMSA-2010-0002.3”
Train Signal, who produced the popular ‘VMware vSphere’ and ‘Hyper-V’ training videos have just released a new addition to the VMware vSphere suite of training products called ‘VMware vSphere Pro Series Vol. 1’. Continue reading “TrainSignal release a new Training video.”
Well I finally plucked up the courage to sit the VCP-410 exam, well to be fair it was the impending deadline that really made me do it, and the fact that “She who must be obeyed” would have beat me senseless if I had to take the “Whats new” course through my laziness. I am pleased to say that I passed 😀
The exam was a significant improvement on the VCP 310 exam, it was a little more challenging and the profile was more to do with real environment questions rather than the how many vCPU’s can you have if it is a Thursday afternoon just before tea time type questions.
So what is my advise for the exam, well the number one is use the blueprint as a guide for your revision, also also visit longy’s resource for some very good guidance and test questions. and play with the environment. There are certain question you can only answer if you have seen the products.
Good luck to those that are yet to commence on the journey, I am just about to start the next trip, my ascent up mount VCDX. Bon voyage
Well you have been playing with your console and finally got fedup of typing su – root to get to those esxcfg commands, well you can automate it to do so you need to configure sudo
Continue reading “How To: configure sudo on ESX”
“STOP PRESS” – I was just about to post this and this little nugget appears on VMwareKB
Well it has finally happened after what has seemed an age since the release of vSphere in May. View 4 has finally arrived, but wait! have you noticed one of the pre-reqs, View required vSphere 4 U1 so now we have to download both View 4 and Update 1 of ESX and vCenter. this is a significant number of Bits and Bytes. 😀 thank <insert your deity of choice> we are no longer in the days of 28K modems LOL.
So what is all the fuss about 😀 first I will comment on vSphere Update 1
Continue reading “Busy week in the VMware Engineering team”
Well, as stated on www.rtfm.co.uk, we Notherners are not to be outdone by the recent launch of an Irish and Scottish User Group – We have finally risen to the challenge and struck out on our own, those that remember my attempting to start this over the previous years may well wonder why my name is not on the invite. Well due to a Change in VMware policy regarding VMUGs, people who are peceived as making their living from VMware are precluded form running a VMUG. Continue reading “Northern UK VMUG”
Now before I start, this is not my nugget, I have just added to the process. So thanks must go to the scripting god that is William Lam.
WARNING: do not do this without Testing first
It is common knowledge that FT (Fault Tolerance) is a feature that comes with vCenter and you will not be able to disable/enable/turn off FT without vCenter. Continue reading “how to remove FT from a host without vCenter”