Dcui vmware что это
Некоторые замечания на тему VMware vSphere Security Permissions
Для предоставления доступа различным категориям пользователей к их виртуальным машинам, как правило, используется представление VM and Templates и система папок, на которые, собственно, и назначаются права. Однако, в некоторых случаях этого бывает недостаточно, поскольку для некоторых действий пользователь должен иметь права и на объекты среды, отсутствующие в отображении VM and Templates. Например, для добавления виртуального жёсткого диска или клонирования ВМ нужны права Datastore.Allocate Space или роль Datastore Consumer на объект Datastore или Datastore Cluster. А для возможности изменения сетевого интерфейса — права Network.Assign Network или роль Network Administrator на соответствующие портгруппы. Далее детальнее об этом и других нюансах назначения прав доступа в vSphere. Информация актуальна для версий vSphere 5.1 и 5.5.
Ввиду наличия различных представлений объектов инфраструктуры виртуализации, права доступа к некоторым объектам (VM, vApps) могут наследоваться от нескольких предков (например, VM folder и Resource Pool). что стоит иметь ввиду. Общая схема наследования представлена на рисунке:
Соответственно, если кого-то нужно в правах ограничить, нужно убедиться, что отнятые в одном месте права не наследуются из другого объекта.
Помимо этого, можно столкнуться на практике, что человек, имеющий полномочия администратора на уровне рута, вдруг оказывается ограниченным пользовательскими правами на уровне конкретной папки. Дело в особенностях выбора действующих прав в ситуации наложения ролей. При предоставлении полномочий следует иметь их ввиду.
1) Права, выданные дочерним объектам игнорируют наследованные. Другими словами, если пользователь входит в группы vSphereAdmins и CitrixAdmins, при этом первая имеет права админа на уровне root, а вторая — VM User на уровне папки Citrix, то как раз получим ситуацию, описанную в вышеприведённом абзаце.
2) Права выданные на конкретного пользователя преобладают над правами, выданными на группу (если и те и другие выданы на один объект и пользователь входит в группу).
3) Если используются пользователи из AD или иных источников, отличных от встроенного каталога vCenter SSO, vCenter периодически проверяет наличие учётной записи поиском по имени. И если после назначения прав в vCenter, учётка была переименована или удалена, соответствующие ей права из vCenter удаляются. И если в случае удалённой учётки это даже хорошо, то в случае, если кто-то переименовал группу (группы), например в соответствие с новыми политиками именования в организации, это может привести к неблагоприятным последствиям.
4) vCenter SSO не наследует права вложенных групп, если их участники не входят в Identity Sources. Например, если домен AD не добавлен в Identity Sources, то группа Domain Admins этого домена не будет иметь никаких полномочий на vCenter, даже с учётом того, что она входит в local\Administrators сервера vCenter.
Немного рекомендаций лучших собаководов Best Practices по теме предоставления прав доступа.
Напоследок упомяну о специализированных пользователях хостов ESXi. Спровоцировано тем, что коллега однажды решил убедиться, что сотрудники ИТ в некоторых регионах не наделали себе лазеек в инфраструктуре, и чуть было не вычистил ESXi-хосты от пользователя vpxuser.
vpxuser — специализированный пользователь, который создаётся при подключении хоста к vCenter и используется им для администрирования. Имеет, соответственно, административные права на хост и ни в коем случае не должен модернизироваться (не менять ни права ни пароль).
dcui user — ещё один специфичный пользователь, используемый в качестве агента при работе через Direct Console User Interface режиме lockdown mode хоста (в этом режиме любые подключения к хосту запрещены, кроме управления с помощью vCenter).
В качестве заключения хочу заметить, что никогда я настолько не осознавал значимости и актуальности AGDLP-подхода при назначении прав доступа к системе, как при разработке политики назначения прав на объекты vCenter. Ввиду вышеприведённых особенностей и большого количества ветвлений элементов иерархий.
Understanding the VMware ESXi Direct Console User Interface (DCUI)
Introduction
When ESXi was released and it did not have the traditional Linux-based service console operating system (COS), there was near-panic among VMware-Admins. ESXi has a very limited and simple menu-driven user interface that VMware calls the direct console user interface (DCUI). In this article I will show you what this interface looks like and demonstrate what you can do with it.
What does the VMware ESXi Direct Console User Interface (DCUI) offer?
Here is what the DCUI looks like:
Figure 1: VMware ESXi DCUI
Other than the hidden console (discussed below), what you see as an option on the menu in Figure 1 is all that the DCUI can do. To me, ESXi this simple interface is one of a number of reasons that ESXi is ideal for those new to virtualization. I say this because, besides this straightforward interface, ESXi is free and is the most powerful virtualization platform available today.
This DCUI interface offers the following:
To use these features, you navigate with your function keys, arrow keys, and the ENTER key (there is no mouse support). This console is not available to remote users. You must be at the server console to access it and configure these things. Let’s talk about remote management.
How do you remotely manage VMware ESXi?
Just like any other ESX server, the primary application to manage ESXi remotely is the VMware vSphere client. You download it by going to your ESXi server’s web page.
Of course, another alternative for basic management tasks is VMware Web Access. You will also find that if you go to your ESXi server’s web page.
But, as there is no SSH interface, what most people are asking about when they ask how they will manage ESXi remotely is how they will perform command line commands or use scripts (read Scott Lowe’s Managing ESXi in a COS-less world).
Fortunately, VMware offers 3 command line options to manage both ESXi and ESX Server. They are:
Using the DCUI to configure an ESXi server
Configuring the new ESXi server is easy with the DCUI. By default, the server will get its network information (IP address, etc) from DHCP. However, likely you don’t want a server using DHCP for long. Minimally, you should go in and configure the root username and password as well as static IP network information.
To login to the DCUI system customization screen, press F2. If a password is configured for root, you will enter it. If not you can just go ahead and configure a new root password, as you see me doing in Figure 2.
Figure 2: Configuring a Root username and password
From there, make sure that you go into the Configure Management Network section then into 3 areas:
Here you see me using a static IP address, subnet mask, and default gateway:
Figure 3: Configuring a static IP
From there, I configured DNS servers and DNS domain:
Figure 4: Configuring DNS settings in ESXi
And finally, the custom DNS suffix:
Figure 5: Custom DNS Suffix
Finally, when you press ESC you will be asked to restart the management network, as you see in Figure 6.
Figure 6: Restarting the ESXi management network
These are the minimal changes you will make on an ESXi server but I encourage you to explore other configurations that you can set and logs that you can view inside the DCUI.
Accessing the hidden command line interface
If you REALLY need access to a command line on an ESXi server, there is a completely unsupported and hidden ESXi command line interface. To access it, on the server console, press Alt-F1 then type unsupported and press enter. From here, you will need to type the root password and you will get a command prompt that looks like this:
Figure 7: ESXi unsupported console
You can learn more about this hidden and unsupported console in my article: How to access the VMware ESXi hidden console.
In Summary
VMware ESXi has no Linux-based service console (COS) like ESX classic. Instead, VMware ESXi offers a direct console user interface (DCUI). In this article you learned what it offers you, how to configure a new ESXi server with it, how to manage ESXi remotely, and how to access the hidden ESXi CLI. ESXi and the DCUI are real simple once you have a quick introduction to them.
For more information on VMware ESXi Server, checkout my other articles about ESXi at:
handonlabs
IT HandOnLabs guide
Managing VMware ESX Direct User Interface (DCUI)
Introduction
Version: vSphere 5.5
The Direct Console User Interface (DCUI) is the front-end management system that allows for some basic configuration changes and troubleshooting options should the VMware ESX host become unmanagable via conventional tools such as the vSphere Client or vCenter.
Typical administration tasks include:
Most actions are carried out by using [F2] on the keyboard or [F11] confirm changes, along with typical options such as [Y] and [N] to various system prompts. Before carrying out any task you will be required to supply the ‘root’ password. However, the first law of security is to secure the physical server – so take care to ensure your access to ILO/RAC/BMC interfaces are properly secured. Although the VMware ESX host can be rebooted from the DCUI this is regarded as an action of last resort. If the VMware ESX hosts has running VMs these will crash, and may or may not be restarted on other hosts depending on whether they are part of a cluster.
Reset ‘root’ password
You may need to reset the ‘root’ password because an inappropriate one was initially assigned, or it has become disclosed to individuals who should be denied access. There are easier ways to change the root password using the vSphere Client, and if you need to change the ‘root’ account password for many hosts (say on a quarterly basis) you might find VMware’s PowerCLI and other scripting automation tools are a better approach.
VLAN Configuration
1. Open a console window to the physical VMware ESX hosts
2. Press [F2] on the keyboard, and supply your current ‘root’ logon password and press [ENTER]
3. Use the cursor keys to scroll down and select “Configure Management Network” and press [ENTER]
4. Select “VLAN (Optional)” and press [ENTER]
5. Type in the VLAN ID value, and press [ENTER]
IP Configuration
1. Open a console window to the physical VMware ESX hosts
2. Press [F2] on the keyboard, and supply your current ‘root’ logon password and press [ENTER]
3. Use the cursor keys to scroll down and select “Configure Management Network” and press [ENTER]
4. Scroll down and select “IP Configuration” and press [ENTER]
5. Complete the IP configuration as it befits your local network requirements:
6. The DNS settings can be modified by selecting “DNS Configuration” and press [ENTER]. The DNS Configuration allows for the setting of a primary and secondary DNS server, together with the short “hostname”. The fully-qualified domain name (FQDN) is completed by configuring the “DNS Suffix” options
7. The IP Configuration can be tested using the “Test Management Network” options. This allows the SysAdmin to test communication to the router (if present) and the DNS servers on the network – as well as confirming the hostname is resolvable to via DNS.
IMPORTANT: Although the test here passed on the hostname, the test merely checks to see if the hostname is present on the DNS server. It does not verify if the hostname (or ANAME record) is valid or pointing at the correct address. As such this means you could still have incorrect entries in the DNS database. It’s recommend to use a utility like nslookup to confirm that both forward and reverse DNS looks resolve to the correct name.
Restore Network Configuration
Restoring the network configuration is quite a dangerous option if not used correctly. It has the potential to reset the network to such a state that you will not be able to communicate to the VMware ESX host without resorting to the DCUI to resume communication. It also has the possibility of disconnecting virtual machines (VMs) that are running on the VMware ESX host. Additionally, it has the ability to remove standard and distributed virtual switches (vSwitch) from the host in event that these have become broken on the host beyond repair.
CAUTION: As such you should approach these options with extreme care.
1. Open a console window to the physical VMware ESX hosts
2. Press [F2] on the keyboard, and supply your current ‘root’ logon password and press [ENTER]
3. Use the cursor keys to scroll down and select “Network Restore Options” and press [ENTER]
4. Select the Restore option required, and press [ENTER]. In the following case the option “Restore Network Settings” was selected.
Configure Keyboard
Whilst the VMware ESX host keyboard settings can be configured during installation, it possible to modify this after the installation itself.
1. Open a console window to the physical VMware ESX host
2. Press [F2] on the keyboard, and supply your current ‘root’ logon password and press [ENTER]
3. Use the cursor keys to scroll down and select “Configure Keyboard” and press [ENTER]
4. Use the cursor keys to highlight the preferred language, and then spacebar to select the new keyboard type. Press [ENTER] to make the change.
Troubleshooting Options
Restart Management Agents
In the early days of VMware ESX occasionally the host would appear as being “disconnected” in the management system of vCenter. Although the host has a “WatchDog” service designed to restart the core management agent, this would be unsuccessful. In recent years these random disconnections have been resolved – and its now highly unusual for an VMware ESX host to enter a disconnected state. Nowadays, if this happens its is more normally another cause such as an IP conflict, or the host being rebooted in non-authorised manner or some type of hardware failure. Nonetheless, the option to restart management agents does exist in the DCUI. If you do use this option you will need to be patient as it can take time for other systems to “retry” the connection and reconnect to the host.
1. Open a console window to the physical VMware ESX host
2. Press [F2] on the keyboard, and supply your current ‘root’ logon password and press [ENTER]
3. Use the cursor keys to scroll down and select “Troubleshoot Options” and press [ENTER]
4. Use the cursor keys to scroll down to “Restart Management Agents” and press [ENTER]. In the following page not only do you have the option to simply restart the management agents, but also collect extra troubleshooting information. Notice the warning about this disconnects all existing remote management software.
Enabling ESXi Shell and SSH together with Timeout Values
It is possible to get true command-line access to the VMware ESX host. This can be either by the “ESXi Shell” normally access via the ILO/RAC/BMC card or using the Secure Shell protocol (SSH) commonly access on TCP port 22 using a SSH client like PuTTy. In addition to these options being enabled they can be enabled for a designated period as well, to allow temporary console access. This is prevents the need to have protocols like SSH enabled all the time, which could be regarded by some as a security weakness. If you do have a require to permanently enabled SSH access this can be done from the “Security Profile” on the VMware ESX host either with the vSphere Client or using vCenter with the Web-Client.
Important: If you intend to set timeout values you must set these before enabling the ESXi Shell and/or SSH.
1. Open a console window to the physical VMware ESX host
2. Press [F2] on the keyboard, and supply your current ‘root’ logon password and press [ENTER]
3. Use the cursor keys to scroll down and select “Troubleshoot Options” and press [ENTER]
4. Use the cursor keys to select “Modify ESXi Shell and SSH Timeouts”, and press [ENTER]. Configure the durations for the “Availability Timeout” and “Idle Timeout”. A zero value can be specified which indicates that sessions never expire.
5. Next we can Enable the ESXi Shell and SSH. These a toggle options where pressing [ENTER] switches the option from “Enable…” to “Disable…”
6. Accessing the ESXi Shell requires exiting the DCUI back to the main screen and then pressing [ALT+F1] on the keyboard. The keystroke [ALT+F2] will toggle the SysAdmin back to the DCUI. Typing the command ‘exit’ at the ESXi Shell prompt logs the SysAdmin out of the environment.
7. Accessing the ESXi SSH Service requires a SSH Client. For Windows systems the most popular is the free PuTTy tool. Linux and Apple support their own native SSH command-line utilities.
Unsupported Tip: The DCUI is a process like any other on the VMware ESXi host. It is possible to access the DCUI from a SSH session using PuTTy. This is not a support usage, and it runs the risk of disconnecting the very SSH session that allows it work. The DCUI is accessed from the SSH session by typing the command “dcui” and the SysAdmin can exit the shell using the keystroke [CTRL+C]
View System Logs
There many ways of viewing and gathering the system logs from a VMware ESX host. Viewing them via the DCUI is perhaps least friendly method but it is possible.
1. Open a console window to the physical VMware ESX host
2. Press [F2] on the keyboard, and supply your current ‘root’ logon password and press [ENTER]
3. Use the cursor keys to scroll down and select “View System Logs” and press [ENTER]
4. Pressing a number on the keyboard from 1-6 will allow you to view the system logs, and [Q] on the keyboard will quit the log view, and return the SysAdmin back to the DCUI screen.
Reset System Configuration (Factory Reset)
A “Reset System Configuration” (or more commonly referred to as a ‘factory reset’) reconfigures the ESX host back to its initial installation. This achieve by maintain various system states between reboots. Before issuing a “Reset System Configuration” its is recommended to carry out a manual backup of the VMware ESX host. This can be done using the command vicfg-cfgbackup or PowerCLI.
IMPORTANT: A reset of the VMware ESX host also resets the root password back to being blank. As consequence all previous passwords including the one configured at the installation are lost.
1. Open a console window to the physical VMware ESX host
2. Press [F2] on the keyboard, and supply your current ‘root’ logon password and press [ENTER]
3. Use the cursor keys to scroll down and select “Reset System Configuration” and press [ENTER]. Next press [F11] to confirm you wish to carry-out the reset, followed by [ENTER] to confirm a reboot of the system.
Shutdown/Restart the VMware ESX Host
There are many ways to shutdown or reboot the VMware ESX host. By far the most appropriate method would be use vCenter “maintenance mode” which in conjunction with the VMotion and the Distributed Resource Schedule (DRS) feature successfully evacuate all the VMs from the host, before a shutdown or reboot instruction is given. You should exhaust all reasonable efforts to gain control over the the VMware ESX host to carry out a graceful outage of the host. Only use the power button or the shutdown/restart functionality of the DCUI if you have no other option.
1. Open a console window to the physical VMware ESX host
2. Press [F12] on the keyboard, and supply your current ‘root’ logon password and press [ENTER]
3. Pressing [F2] on the keyboard will trigger a shutdown, whereas pressing [F11] will trigger a reboot. Before using the [F2] ensure you have suitable access to trigger a power on of the physical server!
Set-VMHost esx01nyc.corp.com -State maintenance
Note: Once a host is in maintenance mode it remains in this mode even after a reboot. An VMware ESX in maintenance mode cannot power on a VM, nor have VMs moved to it.