virtuallyGhetto

appliancesh

Enabling shell access for Active Directory users via SSH to vCenter Server Appliance (VCSA)

by 4 Comments

I had a question the other day on whether it was possible to enable shell access for Active Directory users when logging into the vCenter Server Appliance (VCSA) via SSH? The answer is yes and though this is documented here, it is not very clear whether this is only applicable to SSO-based users only. In any case, the process to enable this is pretty straight forward and simply requires two steps which I have outlined below.

Step 0 - Ensure that your VCSA and/or PSC is joined to Active Directory before proceeding to the next step. If not, take a look at the documentation here for more details.

Step 1 - Login to vSphere Web Client and under Administration->System Configuration->Nodes->Manage->Settings->Access, go ahead and enable boh SSH and bash shell options. The first setting turns on SSH to the VCSA and the second setting allows users (local, SSO and AD) to access the shell on the VCSA.


Step 2 - In the vSphere Web Client and under Administration->Single Sign-On->Users and Groups->Groups, select the SystemConfiguration.BaseShellAdministrators group and add either an AD User and/or Group that you wish to allow to access the shell.


Once you have completed the steps above, you can now SSH to your VCSA/PSC using the AD user (UPN format) that you had authorized earlier. In the example below, I am logging into one of my VCSA using user *protected email* and as you can see, I am placed into the appliance shell by default.


At this point I can access all the appliancesh commands just like I normally would if I had logged as a root or *protected email*.

If we wish to change to bash shell, we simply just type "shell" which will enable shell access, assuming you had performed Step 2.


One thing that I noticed is that the default home directory for the AD user is /var/lib/nobody and apparently that does not exists by default, so users end up in / directory by default after enabling shell access. I am not sure if this is also related, but the username shows up as nobody as you can see from the prompt. This is something I will share with Engineering to see if we can improve upon as I am sure most of you would rather see the user that is actually logged in.

The good news from an auditing and logging standpoint is that for operations that are logged, it does properly show the username even though the prompt is showing up as nobody.

[Read more...] about Enabling shell access for Active Directory users via SSH to vCenter Server Appliance (VCSA)

How to remotely run appliancesh & other shell commands on VCSA w/o requiring SSH?

by 9 Comments

In vSphere 6.0 Update 1, the vCenter Server Appliance (VCSA) has received a significant enhancement to its Virtual Machine Management Interface also known as VAMI for short. As the name suggests, this interface provides basic configuration, monitoring and management capabilities for the Virtual Appliance which can be consumed through either a UI using a web browser or from the appliancesh CLI running within the VCSA Shell.

vcenter-server-appliance-appliancesh-and-other-commands-without-ssh-0
When talking to customers, they love the fact that the VCSA is harden out of the box and things like SSH are disabled by default. However, one challenge today is that if you need to access the appliancesh interface, SSH still must be enabled or direct console access would be required which is not ideal from an automation as well as from a security standpoint. Although things like SNMP can be configured on the VCSA to help alleviate some of these challenges, it does not solve the problem of having programmatic and remote management access.

VMware Engineering is aware of this request and is working on exposing the VAMI capabilities as an API in a future release of vSphere. In the mean time, not all hope is lost and there is still a solution which does not require you to give up security to be able to operate and manage your VCSA. We can do so by leveraging one of my all time favorite features of the vSphere Platform which is the Guest Operations API which allows you perform guest operations (running commands, transferring files, etc) directly within the guestOS as if you were logged in. Valid guest credentials are still required and once authenticated, the operations are then proxied through VMware Tools. Networking is not even required which makes this a really handy feature for troubleshooting and can even extend into application level provisioning using a single API. I can not stress enough on how cool and underutilized this feature is and it still comes as a surprise when I tell customers that this is actually possible.

Customers can consume the Guest Operations API by consuming it through one of our many supported vSphere SDKs as I have shown here or you can also consume it through PowerCLI using the Invoke-VMSCript cmdlet. To demonstrate the power of the Guest Operations API with the VCSA, I will completely disable all remote access to the VCSA which includes Local Login, Bash Shell and SSH as shown in the screenshot below.

vcenter-server-appliance-appliancesh-and-other-commands-without-ssh-1
Here is an example of running a simple "echo" command using the vSphere SDK for Perl:

vcenter-server-appliance-appliancesh-and-other-commands-without-ssh-2
Note: You will notice that there is no output and that is because the standard output must be re-directed to a file and then downloaded back to your client. The PowerCLI's Invoke-VMScript does handle this for you and will return any standand output to the console. For more complex commands, I would recommend creating a script that contains the command and just running the script itself which you can then log locally or into a file.

Here is an example of running the "appliancesh" command using the Invoke-VMScript cmdlet:

vcenter-server-appliance-appliancesh-and-other-commands-without-ssh-4
Here is an example of running the "cmsso-util" command using the Invoke-VMScript cmdlet:

Note: The reason the additional "export" commands are required is that certain commands may rely on certain environmental variables to be setup. In the case of the cmsso-util command, there are several VMware environmental variables it uses. I decided to just export them all but you can selectively figure out which ones are truly needed.

vcenter-server-appliance-appliancesh-and-other-commands-without-ssh-4
As you can see from the examples above, I was able to successfully run both shell commands as well as the appliancesh without requiring SSH and even local login! This methods works whether you are connected to vCenter Server or ESXi host from vSphere API perspective.

UPDATE (06/06/19) - Example joining the VCSA to Active Directory using domainjoin-cli

Invoke-VMScript -ScriptText "echo 'VMware1!' | /opt/likewise/bin/domainjoin-cli join vmware.corp administrator
" -vm VCSA -GuestUser root -GuestPassword VMware1!

Automating post-configurations for both PSC & VCSA 6.0u1 using appliancesh

by 4 Comments

In vSphere 6.0, we introduced a new command-line option to allow you to automate both the deployment and upgrade of a vCenter Server Appliance (VCSA) and Platform Services Controller (PSC) using a simple JSON configuration file. This has been a very popular request from customers and one that I have been asking for some time now and was glad to see it was finally made available with the VCSA. One thing that was still missing from an Automation standpoint was being able to some basic post-configurations after the initial deployment. Common operations such as adding additional user accounts, configuring SNMP for monitoring or adding proxy server were available but had to be done interactively and manually.

In vSphere 6.0 Update 1, an enhancement was made to the appliancesh interface which will now allow customers to automate the post-configurations of either a VCSA or PSC by simply re-directing a series of appliancesh commands within a file using SSH. Although SSH may not be ideal for all customers and having a programmatic interface via an API is ultimately where we want to get to; This at least allows customers to automate the end-to-end deployment of both the VCSA and PSC as well as covering any additional post-configurations that might be required to stand up a vSphere environment.

To make use of this feature, you simply create a file that contains the list of appliancesh commands that you wish to run on either the VCSA and/or PSC. Here is an example configuration called psc.config (you can name it anything you want):

Once you have saved the configuration file, you simply SSH to either your VCSA or PSC and re-direct the configuration file by running the following command:

ssh *protected email* < psc.config

Once authenticated, the series of appliancesh commands will be executed and then you will be automatically logged off as seen in the screenshot below.
automating-post-configurations-for-psc-and-vcsa-using-appliancesh-0
If you have any feedback in this particular area, please leave a comment as I know both PM/Engineering are interested in hearing your thoughts and what you might want to see in the future in terms of post-configuration of the VCSA and PSC.

How to upgrade from VCSA 5.x & 6.x to VCSA 6.0 Update 1?

by 100 Comments

I have seen quite a few questions come in on how to properly upgrade from an existing vCenter Server Appliance (VCSA) 5.x and/or 6.x environment to the latest vSphere 6.0 Update 1 which was just released today. Before I jump straight into the process, I think its worth covering on how updates (patches) and upgrades have traditionally been handled for the VCSA. In an update or patch scenario, you are staying within a major release of vSphere (e.g. vSphere 5.0) and moving to something like vSphere 5.0 p01 and in this case, an in-place update or patch is performed. In an upgrade scenario, where you are moving from one major release (e.g. vSphere 5.0) to another major release (e.g. vSphere 6.0), a "migration based" approach is taken. This means that you would need to deploy the new VCSA that you wish to upgrade to and then migrate the data from your old VCSA appliance to the new one which is part of the upgrade workflow. This "migration based" approach was also true for any "U" (Update) releases (e.g. vSphere 5.5 to vSphere 5.5 Update 1). 

For major releases, this makes perfect sense and provides customers a nice way to easily rollback if something goes wrong. You simply power off the new VCSA and then power on your original VCSA and you are back in business. For update releases, we have heard from our customers that this process was not ideal and though there is always a risk when updating software (which is why I always recommend customers test thoroughly in a Dev/Test environment before moving to production), the amount of changes in the code is significantly less when compared to a major upgrade. One of the new features that we have introduced in vSphere 6.0 Update 1 is an in-place upgrade for "U" (Update) releases which I have already blogged about here among other new features.

This means that if you are coming from a VCSA 6.x environment and you wish to upgrade to vSphere 6.0 Update 1, you simply just mount the vSphere 6.0 Update 1 Patch ISO to your VCSA 6.x environment and perform the update from the command-line via the appliancesh interface. This is quite nice as it reduces the need to copy data between your old and new appliance and helps reduce the overall downtime. In fact, you can upgrade to vSphere 6.0 Update 1 in about 10min or so using this new method. If you are coming from a VCSA 5.x (5.0, 5.1 or 5.5) environment, this would be consider a major to major upgrade and you would need to follow the "migration based" approach to upgrade to vSphere 6.0 Update 1. One other thing to note after you have upgraded to vSphere 6.0 Update 1, we have now re-introduced URL based patching via the VAMI interface. This means in the future, you no longer need to update or patch from an ISO but can do so directly from VMware's online repository.

Below are the instructions on upgrading from VCSA 6.x to VCSA 6.0 Update 1:

Note (09/14/15):

  • If you have an External PSC with your VCSA 6.x and wish to upgrade, the process shown below is the same for both the PSC and the VCSA. You will want to first upgrade your PSC first as that provides authentication to your vCenter Server. Once the PSC has been upgraded and accessible on the network again, you will then want to move to your VCSA. If you are interested in the proper sequence and ordering of VMware Products to update, you can also check out this handy VMware KB 2109760 which provides all the details
  • Thanks to fellow reader Idan for reporting this but it looks like after an upgrade of the VCSA, the default VMware URL for the VAMI is not working. You will need to update it to point to the following URL https://vapp-updates.vmware.com/vai-catalog/valm/vmw/647ee3fc-e6c6-4b06-9dc2-f295d12d135c/6.0.0.10000.latest/ instead of the default one as shown in the screenshot below. This is only applicable for upgrade scenarios. If you deploy a new VCSA 6.0 Update 1, it will automatically be using the correct URL

incorrect-vami-repo-url
Step 0 - Ensure you have a proper backup and take a snapshot of your VCSA 6.x appliance before beginning.

Step 1 - Download the VCSA 6.0 Update 1 Full Patch (VMware-vCenter-Server-Appliance-6.0.0.10000-3018521-patch-FP.iso) by visiting the VMware Patch Download site.

upgrade-from-vcsa-6.0-to-vcsa-6.0-update-1-0
Step 2 - Mount the VCSA 6.0 Update 1 Patch ISO to your VCSA 6.x appliance using either the vSphere Web/C# Client

Step 3 - Login to your VCSA 6.x appliance via SSH to the appliancesh interface. If you have disabled that, simply type "appliancesh" and login with the root credentials.

Step 4 - Run the following command to stage and install the patches from the VCSA 6.0 Update 1 Patch ISO:

software-packages install --iso --acceptEulas

upgrade-from-vcsa-6.0-to-vcsa-6.0-update-1-1
Note: If you run into any errors while either staging or installing the patches, you should drop into the bash shell and take a look at /var/log/vmware/applmgmt/software-packages.log file for additional information. One common issue that I have seen in the past is if your /storage/log partition is full and you may need to perform a clean up before continuing.

Step 5 - Once the upgrade has completed, you just need to reboot your VCSA by running the following command:

shutdown reboot -r "Updated to vSphere 6.0u1"

upgrade-from-vcsa-6.0-to-vcsa-6.0-update-1-2
Step 6 - A quick way to confirm that you have successfully upgraded your VCSA to vSphere 6.0 Update 1, simply open a browser to the following URL: https://[VCSA-IP]:5480 and it should take you to the new HTML5 VAMI interface.

upgrade-from-vcsa-6.0-to-vcsa-6.0-update-1-3
If you would like additional information, take a look at this VMware KB 2119924.

vCenter Server 6.0 Tidbits Part 5: New method of patching the VCSA/PSC

by 9 Comments

In previous releases of the VCSA, patching and updating of the VCSA was performed through what was known as the VAMI interface which provided both a UI as well as a command-line which I have blogged about here. The simplest and easiest method was of course using the UI which just required opening a browser to https://[VCSA]:5480 as seen in the screenshot below.

UPDATE (09/04/15) - In vSphere 6.0 Update 1, URL based patching is now available. You can find more details here.

patching-vcsa-6.0-0
In the VCSA 6.0, the old VAMI UI interface no longer exists and to update/patch the VCSA you will need to use the appliancesh command-line interface. There is a command called "software-packages" which is used to update/patch the software on the VCSA. This information is also documented here.

patching-vcsa-6.0-2
VMware just recently released a patch update to vSphere 6.0 and one of the updates is applicable to VCSA (Embedded) and VC/PSC (External) as noted in this VMware KB 211640. There are two patches (Third Party & Bug/Security Fix) which are available as an ISO which can be downloaded from here.

patching-vcsa-6.0-1
Before you can apply the patch/update, you will need to mount the patch ISO to your VCSA/PSC using either the vSphere C#/Web Client as you would with any other ISO. The second step is to login to the VCSA/PSC and if you have disable the appliancesh, you just need to type "appliancesh" and you will be prompted to login with your root credentials.

Once logged into the applianesh, the software-packages supports two options:

  • Stage patches from ISO and then install
  • Stage patches from ISO and install at a later time

If you wish to perform the update/patch in a single step by staging and installing, you can run the following command:

software-packages install --iso --acceptEulas

patching-vcsa-6.0-3
If you wish to only stage the patches but not install, you can do so by running the following command:

software-packages stage --iso --acceptEulas

Once you are ready to install the staged patches, you will need to run the following command:

software-packages install --staged

How to change/deploy VCSA 6.0 with default bash shell vs appliancesh?

by 10 Comments

When logging into the new VCSA 6.0 via SSH, you will notice that you are no longer dropped into a normal bash shell but into a new appliancesh (pronounced appliance shell) environment. This new interface provides basic set of virtual appliance management capabilities including Ruby vSphere Console (RVC) access which makes the majority of operations convenient to a vSphere Administrator but it also helps restrict unnecessary access to the underlying filesystem which can be helpful from a security standpoint.

If you need to access the underlying filesystem, you can temporarily enable it by running the following two commands:

shell.set --enabled True
shell

applianceshell-default-bash
If you need to transfer files to/from the VCSA via SCP/WinSCP, you will need to change the default shell from /bin/appliancesh to /bin/bash else the operation will fail. You can easily do this by using the chsh command:

chsh -s "/bin/bash" root

If you rather have the BASH shell configured as the default after deployment and not have to go through this manual process each time, you can actually configured using the following hidden option called guestinfo.cis.appliance.root.shell

This property allows you to specify the default shell for the "root" account and you can only modify this if you deploy the VCSA using ovftool. Here is the parameter you would append to the ovftool argument list:

--prop:guestinfo.cis.appliance.root.shell="/bin/bash"

You can leverage this new property and automate the deployment of the new VCSA 6.0 and for more details be sure to check out my VCSA 6.0 Automation Series.