I have been asked by many if it is possible automating ESXi host level changes without opening SSH. In many organizations people are prohibited to open SSH however they do have the need to make certain changes on a host level. One of those changes for instance is in a stretched cluster environment where “disk.terminateVMOnPDLDefault” needs to be set to true. This setting can only be configured in /etc/vmware/settings unfortunately. So how do you automate this?
Andreas Peetz from V-Front.de came up with an awesome solution. He created a plugin to esxcli allowing you to run commands on an ESXi host. So in other words, when you install his plugin (it is a vib) you can remotely fire off a command on an ESXi host as if you are sitting behind that host.
How does that work? Well first of all you install the vib Andreas created. (Or include it in your image.) When it is installed you can simply run the following on any machine that has the vSphere CLI installed:
esxcli -s hostname -u username -p password shell cmd -c "command"
Awesome right?! I think so, this is probably one of the coolest things I have seen in a while. Very clever solution, once again… awesome work Andreas and head over to V-Front.de to get more details and the actually download of this plugin!
** Disclaimer: implementing this solution could result in an unsupported configuration. This article was published to demonstrate the capabilities of esxcli and for educational purposes **
This is definitely very cool, but I’m wondering how many companies that restrict the usage of SSH would allow additional (unsupported) software to be loaded on the ESXi host itself.
It is very nice that this plugin leverages the vSphere CLI connection rather than opening another port on the hosts, so it actually maintains the minimal attack surface.
I would not call this package “real software”, because it just includes an XML file and a quite simple shell script. That means It does not really increase the attack surface and should survive any audit of paranoid security officers 😉
– Andreas (the author of the plugin)
How does it log to syslog in this case?
When normal shell commands are run it logs like this:
2013-01-08T00:18:59Z localhost.localdomain shell[436379]: du -sh /scratch/log/
Can you confirm it logs commands executed by this method, and how it looks like when logging to syslog?
Thanks
I am going to try this out soon. I’ve been using Quest version of plink.exe to execute esxi cli commands for my scripts. I think this plugin may be more secure to use on scripts.