Working with the VMware vCenter Server Appliance
While working with the VMware vCenter Server Appliance (VCSA) the last couple of years I came across several bits and pieces of information that I collected which, I think, are useful for working with the VMware vCenter Server Appliance (VCSA) and combined them in this blog post.
VMware vCenter Server provides a centralized platform for managing your VMware vSphere environments through a single pane of glass. The VMware vCenter Server Appliance (VCSA) is a preconfigured Linux-based virtual appliance that can be deployed simply as a Virtual Machine. This VM is optimized for running vCenter Server and the associated services on Linux.
Highlighted in this VMware vCenter Server Appliance blogpost:
- Change the Password and Password Expiration Settings of the Root User
- Enabling SSH, Local Access and Bash shell
- Unlocking a locked out Root account
- Updating or patching the VCSA
- VCSA startup stages after reboot
- WinSCP to vCenter Server Appliance
Change the Password and Password Expiration Settings of the Root User
When you deploy the vCenter Server Appliance, you set the initial password of the root user, which expires after 365 days by default. For security reasons, you can change the root password, as well as the password expiration settings. In version 5.5 and 6.0 of the VCSA the root password expires in 90 days, with the updated version by default the root password will expire in 365 days. You can login to the VMware Appliance Management Interface (VAMI) with a web browser on the following address:
Important: If there is no VAMI page showing up on port 5480 you are probably running VCSA version 6.0, because VMware removed the VAMI from vCenter Server 6.0. This issue can be resolved by updating the VCSA to Update 1 or later. For the necessary steps on upgrading please check the paragraph about Updating or patching the VCSA.
- Login with Root and the root-password.
- Go to Administration in the left panel
- In the right panel you can Change the Root Password
- In the panel below you can adjust the Password Expiry Settings
Enabling SSH, Local Access and Bash shell
After installing the VCSA local access and SSH access will be disabled. If you need to install plugins in the VCSA like the NexentaConnect for VSAN you will need SSH access to adjust some local settings and add the package for the plugin. You have multiple ways to activate Local Access and SSH possibilities.
Option 1: Through the VMware Appliance Management Interface
- Login to the VAMI
- Go to Access in the left pane
- Check the two boxes enabling ssh login and bash shell
Option 2: Through the vSphere Web Client
- Login to the vSphere Web Client
- Go to Administration > System Configuration > Right-Click the correct VCSA node > Edit settings
- Adjust accordingly how you would like it to behave
Unlocking a locked out Root account
If the root account is not accessible through the console, the secure shell, and the Virtual Appliance Management Interface (VAMI) (vCenter Server Appliance 5.5 and 6.0 Update 1+), the root account has been inactivated due to password expiration. To reactivate the root account, the vCenter Server appliance must be rebooted and the kernel option modified in the GRUB bootloader to obtain a root shell.
First of all you have to edit the settings of the VCSA to delay the boot sequence through the vSphere Client. Make sure you know on which ESX host the VCSA runs before you shut it down. The time between when you power on the virtual machine and when it exits the BIOS or EFI and launches the guest operating system software is short. You can change the boot delay or force the virtual machine to enter the BIOS or EFI setup screen after power on.
Delaying the boot operation is useful for changing BIOS or EFI settings such as the boot order. For example, you can change the BIOS or EFI settings to force a virtual machine to boot from a CD-ROM.
- In the vSphere Client inventory, right-click the virtual machine and select Edit Settings.
- Click the Options tab and under Advanced select Boot Options.
- In the Power on Boot Delay panel, select the time in milliseconds to delay the boot operation.
- (Optional) Select whether to force entry into the BIOS or EFI setup screen the next time the virtual machine boots.
- (Optional) Select whether to try to reboot after a boot failure.
- Click OK to save your changes.
- Power-On the VCSA
To reactivate the root account:
- When the GRUB bootloader appears, press the spacebar to disable autoboot
- Type p to access the appliance boot options
- Enter the GRUB password
Note: If the vCenter Server appliance was deployed without editing the root password in the Virtual Appliance Management Interface (VAMI), the default GRUB password is vmware. If the vCenter Server appliance root password was reset using the VAMI, then the GRUB password is the password last set in the VAMI for the root account.
Use the arrow keys to highlight VMware vCenter Server Appliance and type e to edit the boot settings
- Scroll to the second line displaying the kernel boot parameters
- Type e to edit the boot command
- Append init=/bin/bash to the kernel boot options
- Press Enter. The GRUB menu reappears
- Type b to start the boot process. The system boots to a shell
- Reset the root password by running the passwd root command
- Restart the appliance by running the reboot command
Updating or patching the VCSA
Depending on which VCSA version you are running you have two options to update the VCSA.
Option 1 – Updating or Patching the VCSA through a SSH connection
- Download VCSA update from the following location:
- Upload the ISO to a Datastore
- Attach the downloaded ISO to the VCSA virtual machine (Do not forget to check the connected box)
- SSH to the VCSA
- Run the following commands
To stage the ISO
software-packages stage –iso
Run through the EULA (with ENTER) and answer with yes. To see the staged content
software-packages list –staged
To install the staged rpms
software-packages install –staged
After patching is successful use the following command to reboot the VCSA
Shutdown reboot –r Update_to_last_patches
Option 2 – Updating or Patching the VCSA through the VAMI
You can also update the VCSA throught the VAMI web interface when you are running a version of VCSA which has a active/available VAMI
- Go to Update in the left panel and than in the right panel to Check Updates
You have the choice to use a CDROM or download it through a URL.
VCSA startup stages after reboot
The VCSA goes through different stages while booting, it has five visible stages:
- You can connect to the IP address/FQDN of the VCSA
- Error message 503 when trying to connect to the vSphere Web Client
503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http16LocalServiceSpecE:0x7f809c7187b0] _serverNamespace = /vsphere-client _isRedirect = false _port = 9090)
- You will see a Blanc screen while trying to connect to the vSphere Web Client
- The vSphere Client web server is initializing message is visible
- You can login through the vSphere Web Client Login Screen (Do not forget the email@example.com instead of root)
Now the VCSA is fully booted and operational.
WinSCP to vCenter Server Appliance
When trying to connect WinSCP to the vCenter Server Appliance (VCSA) you will get an error message and you can not connect to upload or retrieve files from the VCSA. When you copy files using WinSCP, part of the operation happens on the target Linux system. The default Appliance Shell cannot be the remote partner of WinSCP. You must enable the Bash shell on the appliance, you can do that through the VAMI as described in the paragraph about Enabling SSH, Local Access and Bash shell. You can also do it by
- Login to the VCSA through a SSH connection
- Provide the the username root and the root password when prompted
- Inserted the following commands:
Than go to the Bash shell
In the bash shell switch from default shell to Bash
chsh -s /bin/bash root
Now you can use WinSCP to place or get files on the VCSA
To return the Bash shell to the Appliance shell use
chsh -s /bin/appliancesh root
When using Linux to place or retrieve files you can use PSCP.