Thursday, 23 June 2016

Standalone ESXi User permission management

If your ESXi host is managed by a vCenter Server, it is recommended to perform management tasks through the vSphere Web Client as preferred way.

However, as an another best practice for standalone ESXi host, we can create at least one user account on ESXi host and assign it full administrative privileges on the host.

We can use this account instead of the root account. However, do not remove the root account.

ESXi predefined users:
Following users are predefined on standalone ESXi host.
  • Root
    • By default ESXi host has a single root user account with the Administrator role. 
    • Root user account can be used for local administration and to connect the host to vCenter Server
  • VPXUser
    • vCenter Server uses vpxuser account when managing activities for the ESXi host. 
    • vCenter Server has Administrator privileges on the host that it manages through this account.
    • The vCenter Server administrator can perform most of the same tasks on the host as the root user and also schedule tasks, work with templates, and so forth. 
    • However, the vCenter Server administrator cannot directly create, delete, or edit local users and groups for hosts. 
  • DCUI
    • The dcui user runs on hosts and acts with Administrator rights. 
    • This user’s primary purpose is to configure hosts for lockdown mode from the Direct Console User Interface (DCUI). 
    • This user acts as an agent for the direct console and cannot be modified or used by interactive users. 

ESXi predefined Roles:
 
Following roles are predefined on ESXi host for permission management:
  • Read Only
  • Administrator
  • No Access 

You can manage local users and groups and add local custom roles to an ESXi host using a old vSphere Client connected directly to the ESXi host. 


Starting with vSphere 6.0, you can use ESXCLI account management commands for managing ESXi local user accounts. 
You can use ESXCLI permission management commands for modifying permissions on both Active Directory accounts (users and groups) and on ESXi local accounts (users only). 

Check my other article on how to add local user account on ESXi host using command line at below link.

How to add local account in esxi shell





Wednesday, 22 June 2016

VIB's and VMware Acceptance Levels

What is VIB?

A VIB is abbreviation for vSphere Installation Bundle. A VIB is an ESXi software package. VMware and its partners package solutions, drivers, CIM providers, and applications that extend the ESXi platform as VIB's. You can use VIB's to create and customize ISO images or to upgrade ESXi hosts by installing VIB's onto the hosts.

VIB is comprised of three parts:
  • A file archive
  • An XML descriptor file
  • A signature file
File archive:
  • Also referred as the VIB payload which contains the files that make up the VIB. 
  • When a VIB is added to an ESXi image, the files in the VIB payload are installed on the host
XML descriptor:
  • This file describes the contents of the VIB.  
  • Included with the description is important information about the requirements for installing the VIB, dependencies, compatibility issues, and whether the VIB can be installed without rebooting.
Signature file:



  • This is an electronic signature used to verify the level of trust associated with the VIB.  
  • The acceptance level not only helps protect the integrity of the VIB, but it also identifies who created the VIB and the amount of testing and verification that has been done.

VMware Acceptance Levels:
 
VMware Acceptance Levels can be categorized as below.  
  • Acceptance levels for VIB's: Cannot be modified.Comes with release of VIB.
  • Acceptance levels for hosts: Can be modified.

Acceptance levels for VIB's:
 
VIB is released with an acceptance level which cannot be changed later.

The host's acceptance level must be the same or less restrictive than the acceptance level of any VIB you want to add to the host. 

Acceptance levels for hosts:


Below are the possible acceptance levels that can be configured in ESXi host.
  • VMwareCertified
  • VMwareAccepted
  • PartnerSupported
  • CommunitySupported

VMwareCertified: 

  • Most stringent requirements for VIB's at this acceptance level. 
  • Thorough testing is done on VIB's and are fully equivalent to VMware in-house Quality Assurance testing for the same technology. 
  • IOVP drivers are published at this level as of today. 
  • VMware takes support calls for VIB's with this acceptance level.

VMwareAccepted:
 

  • VIB's go through verification testing, but the tests do not include the test of every function of the software. 
  • The partner runs the tests and VMware verifies the result for VIB's at this acceptance level. 
  • CIM providers and PSA plug-ins are example of the VIB's published at this level. 
  • VMware directs support calls for VIB's with this acceptance level to the partner's support organization.

PartnerSupported:

  • VIB's with this acceptance level are published by a partner that VMware trusts. 
  • The partner performs all testing. VMware does not verify the results of the tests. 
  • This level is used for a new or non-mainstream technology that partners want to enable for VMware systems. 
  • VMware directs support calls for VIB's to the partner's support organization for VIB's at this acceptance level. 

CommunitySupported:


  • This acceptance level is for VIB's that are created by individuals or companies outside of VMware partner programs.
  • VIB's at this level are not tested through any of the VMware-approved testing program 
  • VIB's with this acceptance level are not supported by VMware Technical Support or by a VMware partner.
In order to protect the security and integrity of ESXi host, do not install unsigned i.e. community-supported, VIB's on ESXi hosts. An unsigned VIB contains code that is not certified by, accepted by, or supported by VMware or its partners.

Community-supported VIB's do not have a digital signature.

How to Modify acceptance level:

Use ESXCLI commands to set an acceptance level for a host.

  • Connect to each ESXi host and verify that the acceptance level is set to VMwareCertified or VMwareAccepted by running the following command. 
esxcli software acceptance get



  • If the host acceptance level is not VMwareCertified or VMwareAccepted, determine whether any of the VIBs are not at the VMwareCertified or VMwareAccepted level by running the following commands. 
esxcli software vib list




  • Remove any VIBs that are at the PartnerSupported or CommunitySupported level by running the following command. 
esxcli software vib remove --vibname vib
  • Change the acceptance level of the host by running the following command. 
esxcli software acceptance set --level acceptance_level

Popular Posts This Week