When you build your virtual infrastructure with only ESXi hosts that you also lock down for security reasons, you might be in for a little surprise when you want to get your VI up and running again after major maintenance or a failure. First thing to do after the virtual infrastructure has been down, is to get vCenter up and running again. In a previous post “How to quickly recover from disaster” I already explained the idea of running vCenter always on the first host in your cluster. In case of failure you don’t have to search where DRS left your vCenter VM, you just connect the VI Client to the first host and start the vCenter VM. Don’t forget you need your Active Directory and SQL database before starting vCenter.
With an all ESXi environment and locked down hosts, you cannot use the VI Client to connect and start the necessary VMs, at least that is what many think, but this isn’t completely true. The Locked down mode does NOT prevent direct VI Client connections as many think, it does however prevent direct VI Client connetions made with the root-user account. The same goes for PowerCLI, vCLI, vMA, or any of the other public APIs. In locked down mode the root user has no direct access. You can however create an extra user on your ESXi install and assign this user administrator rights. Then, after enabling locked down mode, you can still make a direct VI Client connection to your ESXi box and perform some admin tasks like starting VMs.
Another option would be to just get access to the console of the ESXi host using ILO, KVM, DRAC or similar techniques and disable lockdown mode. After disabling lockdown mode, you can then again make root access using the VI Client.
To summarize:
– Lockdown mode for ESXi does prevent root access using VI Client, PowerCLI, vMA, API’s etc.
– Lockdown mode for ESXi does NOT prevent other users accessing the ESXi host using above mentioned tools. Just be sure to first create this user.
– Procedure in an enterprise to create that local user on all ESXi hosts, would be to use (for example) PowerShell to create that admin user and then enable the lockdown mode.
Hello, it sounds like one could also use VI Client to create the new user with admin rights?? Perhaps including info or reference on how to make and run a PS script to create this user would help many people.
For example many people probably log in to VI Client with some domain or server administrator ID/password, explain how it's better to give VI Client admin rights to some user or user group in AD. Or references to additional information on this topic.
I'm glad I saw this, I will either create new domain accounts or create a domain group that can do this…and read up on ESXi install…if it's the way of the future, I may as well get uncomfortable with it now. :)
Thank you, Tom
Hi Tom,
Yes before locking down the ESXi host, you can use the VI Client to create such an admin user. This can however NOT be an Active Directory user !!! You should look at it as a lost resort user. Only use it in emergencies. For normal day to day admin tasks there is no need to bypass vCenter and do things locally on an ESXi host.
Gabrie
Gabe, is this something VMWare will at some point consider a bug? That non root users with admin rights can connect? It seems a bit obscure to be intentional, and a bit open to abuse also…..
Good to know though, even if it's just disabling lockdown as part of the bring up procedure.
Is this “admin” user the general “equivalent” of the non-root user that one creates during the “regular” ESX installation and that one uses to SSH into “regular” ESX before doing a su – to “become” root??
Thank you for mentioning this can't be an AD user.
It appears that one still must create groups and users etc. within VC so people can administer ESXi via VC, which would be tied to AD etc.
I like your “lost resort” typo, don't change it. :)
Thank you, Tom
It is in the official docs, so I don't think they consider it a bug. See the VMware_ESXi_Management_WP.pdf
You could see it like that, but I'm not completely happy with the comparison. Just look at it as a local user you can create.
You should look at it as managing an ESXi or ESX host through vCenter, look at it as configuring the hypervisor to make it work in your virtual infrastructure. Yes, at this point you do have think about ESXi or ESX but in later versions (ESX5) I'm convinced it all doesn't matter anymore.
Hello Gabe – Per your request I tested it out and here is what I found. This is a fresh ESXi install at GA level code, no patches or updates. Here are my steps and results.
1. I was created a root level account named backdoor on the ESXi by connecting to ESXi directly using root
2. I tested that I was able to connect directly using backdoor
3. I enabled Lock Down Mode by connecting to the vCenter
4. Once this was set, I was NOT able to connect directly to the ESXi server. Error was that I didn't have permission to log-in.
5. I was able to connect using backdoor straight to the ESXi server.
6. I then disabled Lock Down mode in vCenter.
7. I was then able to connect directly using root.
If you want me to test anything else, shoot me an e-mail.
Thanks Aaron !!!
Hello, it sounds like one could also use VI Client to create the new user with admin rights?? Perhaps including info or reference on how to make and run a PS script to create this user would help many people.
For example many people probably log in to VI Client with some domain or server administrator ID/password, explain how it's better to give VI Client admin rights to some user or user group in AD. Or references to additional information on this topic.
I'm glad I saw this, I will either create new domain accounts or create a domain group that can do this…and read up on ESXi install…if it's the way of the future, I may as well get uncomfortable with it now. :)
Thank you, Tom
Hi Tom,
Yes before locking down the ESXi host, you can use the VI Client to create such an admin user. This can however NOT be an Active Directory user !!! You should look at it as a lost resort user. Only use it in emergencies. For normal day to day admin tasks there is no need to bypass vCenter and do things locally on an ESXi host.
Gabrie
Gabe, is this something VMWare will at some point consider a bug? That non root users with admin rights can connect? It seems a bit obscure to be intentional, and a bit open to abuse also…..
Good to know though, even if it's just disabling lockdown as part of the bring up procedure.
Is this “admin” user the general “equivalent” of the non-root user that one creates during the “regular” ESX installation and that one uses to SSH into “regular” ESX before doing a su – to “become” root??
Thank you for mentioning this can't be an AD user.
It appears that one still must create groups and users etc. within VC so people can administer ESXi via VC, which would be tied to AD etc.
I like your “lost resort” typo, don't change it. :)
Thank you, Tom
It is in the official docs, so I don't think they consider it a bug. See the VMware_ESXi_Management_WP.pdf
You could see it like that, but I'm not completely happy with the comparison. Just look at it as a local user you can create.
You should look at it as managing an ESXi or ESX host through vCenter, look at it as configuring the hypervisor to make it work in your virtual infrastructure. Yes, at this point you do have think about ESXi or ESX but in later versions (ESX5) I'm convinced it all doesn't matter anymore.
Hello Gabe – Per your request I tested it out and here is what I found. This is a fresh ESXi install at GA level code, no patches or updates. Here are my steps and results.
1. I was created a root level account named backdoor on the ESXi by connecting to ESXi directly using root
2. I tested that I was able to connect directly using backdoor
3. I enabled Lock Down Mode by connecting to the vCenter
4. Once this was set, I was NOT able to connect directly to the ESXi server. Error was that I didn't have permission to log-in.
5. I was able to connect using backdoor straight to the ESXi server.
6. I then disabled Lock Down mode in vCenter.
7. I was then able to connect directly using root.
If you want me to test anything else, shoot me an e-mail.
Thanks Aaron !!!
Nice post thank you, I will bookmark it
http://uggbaileybuttonbomberbrown.10bg.com/2011/05/07/coach-packpacks-bags-on-line/
http://uggbaileybuttonchocolate.9daybody.com/2011/05/07/coach-packpacks-bags-on-line/
http://uggbaileybuttongrey.5hundredkeele.com/2011/05/07/coach-packpacks-bags-on-line/
http://uggbaileybuttononsale.9daybody.com/2011/05/07/coach-packpacks-bags-on-line/
http://uggbaileybuttonchestnut.aixin.us/2011/05/07/coach-packpacks-bags-on-line/
http://uggbaileybuttonsand.smallkitchenreviews.com/coach-packpacks-bags-on-line/
http://uggbaileybuttonsand.a-lincoln-long-nine.com/2011/05/07/coach-packpacks-bags-on-line/
http://uggboot.imoocity.com/2011/05/07/coach-packpacks-bags-on-line/
http://uggboot.abundant-life-coaching.com/2011/05/07/coach-packpacks-bags-on-line/
http://uggboot.acrestrategies.com/?p=25
Nice post thank you, I will bookmark it
http://uggbaileybuttonbomberbrown.10bg.com/2011/05/07/coach-packpacks-bags-on-line/
http://uggbaileybuttonchocolate.9daybody.com/2011/05/07/coach-packpacks-bags-on-line/
http://uggbaileybuttongrey.5hundredkeele.com/2011/05/07/coach-packpacks-bags-on-line/
http://uggbaileybuttononsale.9daybody.com/2011/05/07/coach-packpacks-bags-on-line/
http://uggbaileybuttonchestnut.aixin.us/2011/05/07/coach-packpacks-bags-on-line/
http://uggbaileybuttonsand.smallkitchenreviews.com/coach-packpacks-bags-on-line/
http://uggbaileybuttonsand.a-lincoln-long-nine.com/2011/05/07/coach-packpacks-bags-on-line/
http://uggboot.imoocity.com/2011/05/07/coach-packpacks-bags-on-line/
http://uggboot.abundant-life-coaching.com/2011/05/07/coach-packpacks-bags-on-line/
http://uggboot.acrestrategies.com/?p=25
I came to your article from another article and am really interested in this learning about this. ,
I feel strongly about information and love learning more on this. If possible, as you gain expertise,
It is extremely helpful for me. would you mind updating your blog with more information?