PowerCLI: enable SSH and configure ESXi Firewall


It’s a long time ago when I posted a new article on my blog so it’s time to write some new content. I want to start with a post about configuring SSH to start automatically, hide the Shell warning message and configure the ESXi firewall to allow the connection from a certain IP address. Of course all this is done by running a PowerCLI script.

But first I want to show you where you can change the ESXi firewall settings. Go to the configuration tab and select the Security Profile. Select the rule you want to change and click on firewall.. Select the option “Only allow connections from the following networks” and add the IP address or IP range you want to allow.

image

But like I mentioned before this is not a job do by hand when you have a large vSphere environment so I want to share the PowerCLI script below to perform this task for you. The only things you need to change are the $cluster and $ip variables. Then copy the script to your PowerCLI session and run it.

$cluster = "<clusterName>"
$ip = "192.168.1.1"

foreach($vmHost in (Get-Cluster $cluster | Get-VMHost | Sort Name)){
    write-host "Configuring SSH on host: $($vmHost.Name)" -fore Yellow
    if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Policy -ne "on"){
        Write-Host "Setting SSH service policy to automatic on $($vmHost.Name)"
        Get-VMHostService -VMHost $vmHost | where { $_.key -eq "TSM-SSH" } | Set-VMHostService -Policy "On" -Confirm:$false -ea 1 | Out-null
    }

    if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Running -ne $true){
        Write-Host "Starting SSH service on $($vmHost.Name)"
        Start-VMHostService -HostService (Get-VMHost $vmHost | Get-VMHostService | Where { $_.Key -eq "TSM-SSH"}) | Out-null
    }    
    
    $esxcli = Get-EsxCli -VMHost $vmHost
    if($esxcli -ne $null){
        if(($esxcli.network.firewall.ruleset.allowedip.list("sshServer") | select AllowedIPAddresses).AllowedIPAddresses -eq "All"){
            Write-Host "Changing the sshServer firewall configuration"        
            $esxcli.network.firewall.ruleset.set($false, $true, "sshServer")
            $esxcli.network.firewall.ruleset.allowedip.add("$ip", "sshServer")
            $esxcli.network.firewall.refresh()
        }    
    }
    
    if(($vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"}).Value -ne "1"){
        Write-Host "Suppress the SSH warning message"
        $vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"} | Set-AdvancedSetting -Value "1" -Confirm:$false | Out-null
    }    
}

The script checks if the SSH Service is running or not and will change the setting is necessary. This is also the case with the Firewall configuration and the part to suppress the Shell warning message.

PowerCLI: Automatic expand the available ports for a dvPortgroup


Last year William Lam wrote a blog post on the VMware vSphere Blog about automatic expand a dvPort group port. You can find his post here: http://blogs.vmware.com/vsphere/.  There is also a KB article about this subject. You can find it here: KB1022312

Just a quote from the KB article KB1022312 to explain the auto expand feature and how you can enable it without using Perl of PowerCLI scripting:

Note:  vSphere 5.0 has introduced a new advanced option for static port binding called Auto Expand. This port group property allows a port group to expand automatically by a small predefined margin whenever the port group is about to run out of ports. In vSphere 5.1, the Auto Expand feature is enabled by default.

In vSphere 5.0 Auto Expand is disabled by default. To enable it, use the vSphere 5.0 SDK via the managed object browser (MOB):

  1. In a browser, enter the address http://vc-ip-address/mob/.
  2. When prompted, enter your vCenter Server username and password.
  3. Click the Content link.
  4. In the left pane, search for the row with the word rootFolder.
  5. Open the link in the right pane of the row. The link should be similar to group-d1 (Datacenters).
  6. In the left pane, search for the row with the word childEntity. In the right pane, you see a list of datacenter links.
  7. Click the datacenter link in which the vDS is defined.
  8. In the left pane, search for the row with the word networkFolder and open the link in the right pane. The link should be similar to group-n123 (network).
  9. In the left pane, search for the row with the word childEntity. You see a list of vDS and distributed port group links in the right pane.
  10. Click the distributed port group for which you want to change this property.
  11. In the left pane, search for the row with the word config and click the link in the right pane.
  12. In the left pane, search for the row with the word autoExpand. It is usually the first row.
  13. Note the corresponding value displayed in the right pane. The value should be false by default.
  14. In the left pane, search for the row with the word configVersion. The value should be 1 if it has not been modified.
  15. Note the corresponding value displayed in the right pane as it is needed later.
  16. Go back to the distributed port group page.
  17. Click the link that reads ReconfigureDvs_Task. A new window appears.
  18. In the Spec text field, enter this text:
    <spec>
    <configVersion>1</configVersion>
    <autoExpand>true</autoExpand>
    </spec>

    where configVersion is what you recorded in step 15.
  19. Click the Invoke Method link.
  20. Close the window.
  21. Repeat Steps 10 through 14 to verify the new value for autoExpand.

If you need to change this setting for hundreds of dvPortgroups this will not be one of your favorite changes in your VMware environment. Well you know me. Let’s see if we can PowerCLI this job.

$dvPG = Get-VirtualPortGroup -Name "VM Network"
$dvPGview = get-view $dvPG
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.AutoExpand = "True"
$spec.ConfigVersion = $dvPGview.Config.ConfigVersion
$dvPGview.ReconfigureDVPortgroup_Task($spec)
$dvPGview.UpdateViewData()

if you want to change all the dvPortgroups at one. You can use the following script:

Update: Thanks to Rafael Schitz from http://www.hypervisor.fr/ for the tip to filter out the dvUplink Portgroups. I have also added a check to find out if the dvSwitch is running the correct version to enable the autoExpand feature. Copy the script below and change de $dvSwitchName variable to the name of your dvSwitch.

$dvSwitchName = "dvSwitchName"
$dvSwitch = Get-VirtualSwitch -Distributed -Name $dvSwitchName
if($dvSwitch.ExtensionData.Config.ProductInfo.Version –notmatch "4.*"){
    foreach($dvPG in (Get-View -ViewType DistributedVirtualPortgroup|?{!($_.Tag|?{$_.Key -eq "SYSTEM/DVS.UPLINKPG"}) -and !$_.Config.autoExpand})){
        $spec = New-Object VMware.Vim.DVPortgroupConfigSpec
        $spec.AutoExpand = "True"
        $spec.ConfigVersion = $dvPG.Config.ConfigVersion
        $dvPG.ReconfigureDVPortgroup_Task($spec)
        Write-Host "Enable auotExpand for dvPortgroup: $($dvPG.Name)" -ForegroundColor Yellow
        $dvPG.UpdateViewData()
    }
}
else{
    Write-Host "dvSwitch: $($dvSwitch.Name) is not configured with version 5 or higher. Please upgrade.." -ForegroundColor Red
}

If the dvPortgroup has 0 available ports and a VM wants to connect a network adapter to the dvPortgroup, The total ports variable will be automatically expand with 10 ports. After a couple of tests I can confirm that it works.

My VM Network dvPortgroup had 70 ports. When al these ports where claimed by VM’s and a new VM was deployed or an existing VM was configured with a new network adapter, the Available ports variable was expanded with 10 ports without any impact for the running VM’s.

image

Sources: KB1022312, http://blogs.vmware.com/vsphere/, http://www.hypervisor.fr/?p=4633

PowerCLI: Easy NFS datastore setup vSphere 5.x


For vSphere 4.1 I wrote a PowerCLI script to attach NFS shares. You can find the script here.

In vSphere 5 the properties has changed so I had to change the script. In fact the script is much simpler because all the properties can be found in $nfs.info.nas:

image

The RemoteHost presents the IP address, The RemotePath presents the Share and the Name property presents the name of the share. Now we have the correct variables so it’s time to fix the old script. You can find the result below:

$REFHOST = Get-VMHost "<esxi hostname>"
foreach($NEWHOST in (Get-Cluster <cluster> | Get-VMhost | Where {$_.Name -ne $REFHOST.Name}) | Sort Name){
    foreach($nfs in (Get-VMhost $REFHOST | Get-Datastore | Where {$_.type -eq "NFS"} | Get-View)){
        $share = $nfs.info.Nas
        if($share.Remotehost -match "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"){
            $remotePath = $share.RemotePath
            $remoteHost = $share.Remotehost
            $shareName = $nfs.Name            

            if ((Get-VMHost $NEWHOST | Get-Datastore | Where {$_.Name -eq $shareName -and $_.type -eq "NFS"} -ErrorAction SilentlyContinue )-eq $null){
                Write-Host "NFS mount $shareName doesn't exist on $($NEWHOST)" -fore Red
                New-Datastore -Nfs -VMHost $NEWHost -Name $Sharename -Path $remotePath -NfsHost $remoteHost    | Out-Null
            }
        }
    }
}

vCOPS: Empty Dashboard after the upgrade to version 5.6


After the upgrade of vCenter Operations 5.0.3 (vAPP) to vCenter Operations 5.6 I got an empty screen when I started the vCenter Operations Manager website and the Dashboard view:

image

So I started to troubleshoot and a Goolge search. When I found the following thread on the VMware communities: http://communities.vmware.com/message/2158059. The fix is really easy. Just clear your browser cache and after that, the Dashboard view will work again.

image

vCenter Operations: Disable the default web timeout


Just a quick note to remember how to disable the default web timeout of 30 minutes in vCenter Operations.

  1. Login as root on the UI VM.
  2. Open the the web.xml file with VI: vi/usr/lib/vmware-vcops/tomcat/webapps/vcops-vsphere/WEB-INF/web.xml
  3. Change the default value 30 to –1 to disable the timeout completely.
  4. image

  5. Save the changes via ESC, :wq
  6. restart the vcopsweb service via:  service vcopsweb restart
  7. Wait until the service is ready again.

Login to vCenter Operations and enjoy the view of your dashboards Smile

PowerCLI: Get-VirtualPortgroup -Distributed VlandId value is empty


Today I was busy with PowerCLI and dvPort groups.  I started to use the Get-VirtualPortgroup –Distributed cmdlet and parameter to retrieve some information about the dvPort group. But the default output doesn’t show the VlanId. See the screen shot below for the default output.

image

I don’t know if this is a known issue between PowerCLI 5.1 release 1 and vSphere 4.1 update 2. So I have to test it in a vSphere 5 environment.

But how can you find the vlanid of a distributed portgroup? You can use a PowerCLI script which I created  to fix this little “bug” and I have also added the PortsFree column to the output of the script.

$dvPortgroup = get-virtualportgroup -Distributed -Name "vlan1"
$dvPortgroupInfo = New-Object PSObject -Property @{            
    Name = $dvPortgroup.Name
    Key = $dvPortgroup.Key
    VlanId = $dvPortgroup.ExtensionData.Config.DefaultPortConfig.Vlan.VlanId
    Portbinding = $dvPortgroup.Portbinding
    NumPorts = $dvPortgroup.NumPorts
    PortsFree = ($dvPortgroup.ExtensionData.PortKeys.count - $dvPortgroup.ExtensionData.vm.count)
}  
$dvPortgroupInfo | ft -AutoSize

The output of the script:

image

If you want to create a report of all the dvPort groups. You can use the following script to achieve that goal:

$info = @()
foreach($dvPortgroup in (Get-VirtualPortgroup -Distributed | Sort Name)){
    $dvPortgroupInfo = New-Object PSObject -Property @{            
        Name = $dvPortgroup.Name
        Key = $dvPortgroup.Key
        VlanId = $dvPortgroup.ExtensionData.Config.DefaultPortConfig.Vlan.VlanId
        Portbinding = $dvPortgroup.Portbinding
        NumPorts = $dvPortgroup.NumPorts
        PortsFree = ($dvPortgroup.ExtensionData.PortKeys.count - $dvPortgroup.ExtensionData.vm.count)
    }  
    $info += $dvPortgroupInfo
}
$info | Export-Csv -UseCulture -NoTypeInformation C:\tmp\dvportgroup_info.csv

ESXi: Leave Windows Domain: The operation is not allow in the current state


Today I was struggling with an ESX host. The ESX host was unable to leave the Windows domain. I got the following error:

image

From the vSphere client I was unable to fix this issue. Apply Host profile failed also with the same error. So I started a search in the VMware KB and found an article about problems while attempting to join a Windows domain. In this article you’ll find a way to clean up the AD configuration from the CLI.

The solution for me was to stop the lsassd service:

/etc/init.d/lsassd stop

Remove the db directory:

/etc/likewise/db directory

and start the lasassd service again:

/etc/init.d/lsassd start

Now I was able to leave the Windows domain.

vCenter Operations Manager 5.x vApp Admin account tips


I just want to share two KB articles about the Admin account used in vCenter Operations Manager 5.x vApp. I had some trouble logging in as admin and these articles helped me solve the issue.

Automated lockout of the admin account in the vCenter Operations Manager 5.x vApp

 
Details

vCenter Operations Manager 5.x locks out the admin account on the vApp if you try to log in with incorrect credentials three times in a row.

Solution

Determine whether the admin account is locked out

  1. Log in to the console of the UI VM as root user.
  2. Run the following command twice: su admin.
    The admin account is locked if the console displays a message that reads Account locked due to XX failed login, where XX stands for the number of failed login attempts.
  3. Repeat the above steps on the Analytics VM to check if the admin account there is locked out.

Unlock the admin account

  1. Log in to the console of the UI VM as root user.
  2. Run the following command: pam_tally --user admin --reset.
  3. Repeat the above steps on the Analytics VM if the admin account there is locked out.

Disable the automated lockout for the admin account (optional)

  1. Log in to the console of the UI VM as root user.
  2. Remove or comment out the following line from file /etc/pam.d/common-auth:
    auth requisite pam_tally.so deny=3
  3. Repeat the above steps on the Analytics VM to disable the lockout functionality there.
    Note: The admin account is unlocked automatically when you disable this functionality.

Source: KB2030185

Resetting user passwords in vCenter Operations Manager vApp

Details

This article describes how to reset passwords in vCenter Operations Manager 5.x. The procedure for the root user is different from the admin user. Both procedures are documented here.

Solution

Resetting the root user password

If you forget the root user password, you can reset this password by booting into single user mode.

To reset the root user password:

  1. In the vSphere Client, power off both the UI and Analytics virtual machines.
  2. Select the powered-off UI virtual machine, right-click it, and choose Open Console in the pop-up menu.
  3. From the virtual machine console window, hit the green |> button to power on the UI virtual machine .
  4. When the boot screen appears, quickly click inside the window and enter a space.
    The boot process halts and the countdown from 7 to 0 at the bottom of the screen clears.
    Note: You have only a few seconds to accomplish this step. If you do not halt the boot countdown, you have to start over.
  5. Make sure the first line is selected (SUSE Linux Enterprise …), and press e.
    A boot parameters menu appears.
  6. Go to the second line (beginning with “kernel /vmlinuz-….”), and press e again.
    You are dropped into a grub prompt, and the cursor is positioned at the end of the line.
  7. Enter a space, followed by the parameter init=/bin/sh, and press Enter.
    The space and the parameter are appended to the line onscreen. Once you press Enter, you are returned to the previous boot parameters screen, with the kernel line highlighted.
  8. Press b to boot.
    You see a short boot sequence, followed by a shell prompt.
    Note: This step overwrites the temporary changes made in Step 7, and all boot parameters revert to their previous values.
  9. Run this command to reset the root user password:
    passwd
  10. Repeat Steps 1-9 for the Analytics virtual machine.
    Note: Make sure that you enter the same new password for both the UI and the Analytics virtual machines.

  11. Resetting the admin user password

If you forget the admin user password for vCenter Operations Manager, a script is available for you to re-set that password.

For the 5.0 version only, you must download and use the script attached to this document.

For vCenter Operations 5.0.1 and subsequent versions, the script will be available in the vApp.

To reset the admin password, follow these steps. If you are on a version later than 5.0, go to Step 3.

  1. If you are on the 5.0 version, download and unzip the file resetadminpwd.zip to obtain the script fileresetadminpwd.sh.
  2. Save resetadminpwd.sh on the UI virtual machine in the /usr/lib/vmware-vcops/user/conf/install folder.
  3. Make the script executable.
    chmod 755 resetadminpwd.sh
  4. As root, run the script resetadminpwd.sh on the UI virtual machine:
    ./resetadminpwd.sh new-password

Source: KB2013358

PowerCLI: dvSwitch info


In one of my previous posts you can find a PowerCLI script to report the dvPortgroup ports usage. In this post you’ll find a PowerCLI script to report the overall status of the dvSwitches in your environment. The script will report the dvSwitch Name, Version, Total ports maximum, Total ports in use and the total ports left on the dvSwitch.

Just copy the script below:

$dvSwitchInfo = @()
foreach($dvSwitch in (get-virtualSwitch -distributed |Sort Name)){
    $details = "" | Select Name, Version, Totalports, Portsinuse, Portsleft
    
    $totalPorts = $dvSwitch.ExtensionData.Config.MaxPorts
    $Portsinuse = $dvSwitch.ExtensionData.Config.NumPorts
    $portsleft = ($totalPorts - $Portsinuse)
        
    $details.Name = $dvSwitch.name
    $details.Version = $dvSwitch.ExtensionData.Summary.ProductInfo.Version
    $details.Totalports = $totalPorts
    $details.Portsinuse = $Portsinuse
    $details.Portsleft = $portsleft   
    
    $dvSwitchInfo += $details
}    
$dvSwitchInfo

The output will look like this:

image

I will create another script to combine the information of the dvSwitch and the dvPortgroups available on the dvSwitch to a complete html report like the vCheck.

PowerCLI: dvPortgroup ports report


In this post I will show you how you can generate a simple report of your dvPortgroups. The report shows the Name of the dvPortgroup, The portbinding configuration, The total ports configured, The total ports in use and last but not least the total ports left on the dvPortgroup.

The script below will search for all distributed portgroups in your vCenter where you’re connected to with PowerCLI.

$pgInfo = @()
foreach($pg in (get-virtualportgroup -distributed | Sort Name)){
    $details = "" | Select Name, PortBinding, Totalports, Portsinuse, Portsleft
    
    $totalPorts = $pg.ExtensionData.PortKeys.count    
    $Portsinuse = $pg.ExtensionData.vm.count
    $portsleft = ($totalPorts - $Portsinuse)
        
    $details.Name = $pg.name
    $details.PortBinding = $pg.PortBinding
    $details.Totalports = $totalPorts
    $details.Portsinuse = $Portsinuse
    $details.Portsleft = $portsleft   
    
    $pgInfo += $details
}    
$pgInfo | Export-Csv -UseCulture -NoTypeInformation C:\Scripts\dvPortgroupInfo.csv

The CSV output will look like this:

Name PortBinding Totalports Portsinuse Portsleft
vlan1 Static 32 4 28
vlan2 Static 32 0 32
vlan3 Static 32 7 25
vlan4 Static 32 1 31
vlan5 Static 32 12 20
vlan6 Static 32 0 32

With a simple PowerCLI script you can create a report of all your dvPortgroups. I am going to create another PowerCLI script to use as a Nagios plugin to see witch of the dvPortgroups have less than <X> ports left. So to be continued.