Most of the time does a high security standard not make you daily operation tasks easier, but anyway, a high security standard is necessary for a VMware Enterprise Environment. You can support the daily operation tasks with tools like VMware vRealize Orchestrator or VMware vRealize Operations Manager. This article will show how to Manage Host Lockdown Mode and SSH Service with vRealize Orchestrator Workflows. To make these workflows easily accessible, the vCenter Server extension is a great setup.
If you Environment follows the VMware Security Hardening Guides, the SSH Service should be disabled and Lockdown Mode enabled on all ESXi hosts.
How to manage Host Lockdown Mode and SSH Service
In the vSphere WebClient two different steps need to be done to enable SSH access to the ESXi hosts:
- Disable Lockdown Mode
- Start SSH Service
When, whatever needs to be done via SSH, is finished the SSH Service needs to be disabled and the Lockdown Mode enabled to keep the environment secure. This is a great example for a vRealize Orchestrator Workflow to make the daily operation more efficient!
vRealize Orchestrator Workflow
I have decided to create two different workflows for Enable and Disable, even if a single workflow with an additional input might be more efficient. Dedicated Workflows are in my opinion more transparent in the vCenter Server extension.
Enable SSH (and disable Lockdown)
Scriptable task - Disable Lockdown
Input: hostSystem - VC:HostSystem
1
2
3
4
5
6
7
|
if (hostSystem.config.lockdownMode.value === "lockdownDisabled"){
System.log(hostSystem.name + " is already not in lock down mode");
}
else if (hostSystem.config.lockdownMode.value === "lockdownNormal"){
hostSystem.exitLockdownMode();
System.log(hostSystem.name + " is now not in lock down mode.");
}
|
Scriptable task - Enable SSH
Input: hostSystem - VC:HostSystem Input: serviceAction - string “start” Input: serviceName - string “TSM-SSH”
External Source: Manage Services on your ESXi Hosts with vCO by Burke Azbill
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
// Reference: https://www.vcoteam.info/articles/learn-vco/240-manage-services-on-your-esxi-hosts-with-vco.html
// Get the hostServiceSystem object from the host:
var hostServiceSystem = hostSystem.configManager.serviceSystem;
// refresh services info to make sure all properties are fresh:
hostServiceSystem.refreshServices();
// Get SSH Service
var serviceObj = null;
var services = hostServiceSystem.serviceInfo.service; // Retrieve a list of available services on this host
for each (svc in services){ // now try to match the service key with the service name we're passing in
//System.log("Checking "+svc.key+" / "+serviceName); // Optionally uncomment the beginning of this line for additional logging
if(svc.key == serviceName){
System.log("Service Found! "+svc.label);
serviceObj = svc;
break;
}
}
if (serviceObj == null){ // Make sure we got the service object we are trying to manipulate - if null, throw exception
throw "unable to locate service: "+serviceName+" on host: "+hostSystem.name;
}
// Process Action
switch(serviceAction){
case "start": // Only run the startService method if the service is not running
// before trying to start, make sure running is not true
if (serviceObj.running != true){
hostServiceSystem.startService(serviceObj.key);
}
break;
case "stop": // Only run the stopService method if the service is running
if (serviceObj.running == true){
hostServiceSystem.stopService(serviceObj.key);
}
break;
case "restart":
hostServiceSystem.restartService(serviceObj.key);
break;
case "uninstall": // Not all services can be uninstalled so we use a try/catch here
try{
hostServiceSystem.uninstallService(serviceObj.key);
}catch(err){
System.error("Error uninstalling service "+serviceObj.key+" ("+err+")");
Server.error("Error uninstalling service "+serviceObj.key,serviceObj.key);
}
break;
default: // We should never get here so Provide some warning logging and optionally throw an exception if appropriate for your environment
System.warn("Invalid service action selected");
Server.warn("Invalid service action selected",serviceAction);
}
|
Disable SSH (and enable Lockdown)
Scriptable task - Enable Lockdown
Input: hostSystem - VC:HostSystem
1
2
3
4
5
6
7
|
if (hostSystem.config.lockdownMode.value === "lockdownNormal"){
System.log(hostSystem.name + " is already in lock down mode");
}
else if (hostSystem.config.lockdownMode.value === "lockdownDisabled"){
hostSystem.enterLockdownMode();
System.log(hostSystem.name + " is now in lock down mode.");
}
|
Scriptable task - Disable SSH
Input: hostSystem - VC:HostSystem Input: serviceAction - string “stop” Input: serviceName - string “TSM-SSH”
External Source: Manage Services on your ESXi Hosts with vCO by Burke Azbill
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
// Reference: https://www.vcoteam.info/articles/learn-vco/240-manage-services-on-your-esxi-hosts-with-vco.html
// Get the hostServiceSystem object from the host:
var hostServiceSystem = hostSystem.configManager.serviceSystem;
// refresh services info to make sure all properties are fresh:
hostServiceSystem.refreshServices();
// Get SSH Service
var serviceObj = null;
var services = hostServiceSystem.serviceInfo.service; // Retrieve a list of available services on this host
for each (svc in services){ // now try to match the service key with the service name we're passing in
//System.log("Checking "+svc.key+" / "+serviceName); // Optionally uncomment the beginning of this line for additional logging
if(svc.key == serviceName){
System.log("Service Found! "+svc.label);
serviceObj = svc;
break;
}
}
if (serviceObj == null){ // Make sure we got the service object we are trying to manipulate - if null, throw exception
throw "unable to locate service: "+serviceName+" on host: "+hostSystem.name;
}
// Process Action
switch(serviceAction){
case "start": // Only run the startService method if the service is not running
// before trying to start, make sure running is not true
if (serviceObj.running != true){
hostServiceSystem.startService(serviceObj.key);
}
break;
case "stop": // Only run the stopService method if the service is running
if (serviceObj.running == true){
hostServiceSystem.stopService(serviceObj.key);
}
break;
case "restart":
hostServiceSystem.restartService(serviceObj.key);
break;
case "uninstall": // Not all services can be uninstalled so we use a try/catch here
try{
hostServiceSystem.uninstallService(serviceObj.key);
}catch(err){
System.error("Error uninstalling service "+serviceObj.key+" ("+err+")");
Server.error("Error uninstalling service "+serviceObj.key,serviceObj.key);
}
break;
default: // We should never get here so Provide some warning logging and optionally throw an exception if appropriate for your environment
System.warn("Invalid service action selected");
Server.warn("Invalid service action selected",serviceAction);
}
|
vCenter Server Integration
The vCenter Server extension gives a great integration of vRealize Orchestrator Workflows into the vCenter WebClient UI.
Context menu on host level:
The vCenter Server extension gives the possibility to select existing Workflows for each inventory object. I have enabled on host level both Workflows to manage Host Lockdown Mode and SSH Service.
Workflow parameters:
The vCenter WebClient UI shows the same inputs as in vRealize Orchestrator. In this case, the hostSystem is automatically entered.
Workflow scheduling:
The selected Workflow can be executed immediately or a schedule can be created.
