ESXi Security Service Configurator (PowerCLI)

4 08 2012

Personally, I get annoyed when I have to dig through the vSphere Client GUI to turn on or off certain ESXi services on a regular basis. Since admins are generally on top of it in terms of following good security standards, I see Lockdown Mode on and SSH off by default on their ESXi hosts in many environments. When troubleshooting issues or configuring certain VMware-integrated products (such as HyTrust Appliance), it is sometimes necessary to temporarily undo this setup (enable SSH and disable Lockdown Mode).

The tool linked below can be used to turn on or off SSH and/or Lockdown Mode for a single host or all hosts in the environment. As usual, feel free to use all, some, or none of the code. I’m hoping to add additional services to it in the future, but these two are consistently needing to be toggled…

What it looks like in action:


Find virtual machine snapshots with PowerCLI

2 10 2011

Run from a PowerCLI session connected to a vCenter environment to find and list all of the snapshots (and users  who took them, which Get-VM | Get-Snapshot won’t do) on your managed ESX/ESXi hosts:

$myVMs = Get-VM
$VMsWithSnaps = @()
foreach ($vm in $myVMs) {
    $vmView = $vm | Get-View
    if ($vmView.snapshot -ne $null) {
        Write-Host "VM $vm has a snapshot"
        $SnapshotEvents = Get-VIEvent -Entity $vm -type info -MaxSamples 1000 | Where { 
            $_.FullFormattedMessage.contains("Create virtual machine snapshot")}
        try {
        $user = $SnapshotEvents[0].UserName
        $time = $SnapshotEvents[0].CreatedTime
        } catch [System.Exception] {
            $user = $SnapshotEvents.UserName
            $time = $SnapshotEvents.CreatedTime
        $VMInfo = “” | Select "VM","CreationDate","User"
        $VMInfo."VM" = $vm.Name
        $VMInfo."CreationDate" = $time
        $VMInfo."User" = $user
        $VMsWithSnaps += $VMInfo
$VMsWithSnaps | Sort CreationDate

Storage Capacity Script (PowerShell) – new and improved!

26 09 2011

Updated version of my storage capacity script has been uploaded:

Now with no need for a direct connection to the vCenter database, so removing a lot of the problems people had with the original:

Adding Active Directory users to a group by Display Name with PowerShell

21 08 2011

There are a number of ways to do this, including simply pasting the users’ display names into the Add Member box in Active Directory Users & Computers and clicking through the errors by hand. If you’re like me, and don’t like having to deal with things like this manually, then PowerShell is the way to go. Read the rest of this entry »

Implementing the HyTrust Appliance – Part 3

16 08 2011

Roles, Rules, & Constraints (Oh my.)

IMO, the flagship features of the HyTrust Appliance (HTA) are the additions to the default vCenter Server security mechanisms through a more granular set of access controls to the virtual environment.  As always, a layered approach to security is ideal, and use of the appliance provides just that. For more background, check out my previous posts on the HTA:

Implementing the HyTrust Appliance – Part 1 (deployment, configuration considerations)

Implementing the HyTrust Appliance – Part 2 (compliance templates, root password vaulting)

Read the rest of this entry »

How to disable automatic rescan of HBAs initiated by vCenter

11 07 2011

Posting the link to this KB article mainly as a reminder to myself since this setting gets whacked back to the default after every vCenter Server upgrade.  In larger environments, allowing all of the hosts in a DRS/HA Cluster to initiate automatic rescans after a new datastore has been added can sometimes trigger “rescan storms” – updating the advanced setting config.vpxd.filter.hostRescanFilter to ‘false’ will prevent the automatic rescans, allowing you to do them in a more controlled manner.

Stopped VDR backup leaves behind hidden virtual machine snapshots

16 06 2011

Earlier this week a long-running VMware Data Recovery (VDR) job was stopped due to concerns over space usage on the source datastore.  While the job seemed to stop cleanly, it logged this error in the VDR logs:

error -3942 (Delete snapshot failed)

At first, this didn’t seem like a big deal – I simply went to delete all snapshots using the vSphere Client… and there were none listed.  Seeing the same result when pointing the vSphere Client directly to the host the virtual machine was running on, I started looking for a non-GUI way to do this and came across this KB article:

Committing snapshots on ESX/ESXi host from command line

These steps did eventually work to remove the snapshots, but it should be noted that I had to create another snapshot before the snapshot.get command would list anything.  Once the extra snapshot was in place the snapshot.removeall command did the trick.