Manage ESXi services using PowerCLI

Managing services on ESXi, is one task you’ll find yourself doing over and over again. In today’s post, I’ll focus on the SSH service this being from experience, one that is constantly enabled and disabled. It’s worth mentioning that disabling services that are seldom used is standard security practice as is enabling critical ones on a need-to-use only basis. The aim, here, is to reduce the attack surface of a system. Indeed, restricting SSH access on ESXi is one such example, which despite being a royal pain for many, is ultimately good practice.

There are three main methods you could use to manage the SSH service on ESXi these being the DCUI, vSphere clients and PowerCLI. Let’s review them all.

Method 1: Direct Console User Interface (DCUI)

For illustration purposes, I’m using a nested ESXi environment. In a production environment, you probably must walk or drive to where the server is located. Alternatively, you could connect remotely via an IP based KVM switch or an IPMI card to gain access. Regardless, the steps are always the same.

• Press F2 and log in as root. Press Enter.

• Select Troubleshooting Options from the menu. Press Enter.

• Select Enable SSH and press Enter to enable the service. Pressing Enter a second time will disable it.

Method 2: vSphere Client

I’m using vCenter to manage ESXi but you can similarly connect to an unmanaged ESXi host using the vSphere client.

UPDATE: Given a recent release of ESXi such as 6.5, you should be able to use the embedded host client to carry out the same task.

• Change to Hosts and Cluster view.
• Select the server where you want SSH enabled.
• Select Security Profile under Software.
• Click on Properties next to the Services list.
  

• Select SSH from the Services Properties window and click on the Options button.

• Click Start to enable the SSH service.

Method 3: The PowerCLI way

The third  method, as you’ve probably guessed, involves PowerShell more specifically PowerCLI. The latter is a so called interface developed by VMware to make life a little bit easier for us admins when managing vSphere and other products.

Assuming you have PowerCLI installed, go ahead and open up a shell window; type powercli or click the corresponding icon. In the Example 1, I’ve connected directly to an ESXi host. You can also target vCenter Server using the same command – Connect-VIserver – when managing multiple hosts. The latter is illustrated via Example 2 listed further down.

Example 1: Connecting to a single ESXi host

Connect to ESXi server using the following PowerCLI statement.

connect-viserver -Server 192.168.11.63 -User root -Password Password123

As this is a testing environment, I don’t care much about hiding the credentials used. If you’re paranoid, however, you can always drop the User and Password parameters from the command line which instead you’ll type in the credential box that pops up when the credentials  parameters are omitted.

We then use the following one-liner to list all the running services on ESXi. We filter the results by using where. In this case,  I’ve targeted the SSH service using the TSM-SSH keyword. Finally, I pipe the result into Start-VMHostService so I can start (enable) the SSH service.

get-vmhostservice | where {$_.Key -eq "TSM-SSH"} | Start-VMHostService

Example 2: Connecting to a vCenter Server

Suppose instead that you need to enable SSH on a number of ESXi hosts managed by vCenter Server. This is where PowerCLI really shines. We just need to loop the commands illustrated so far so we can target X number of hosts instead of one.

First, we establish a connection to the vCenter server using the same Connect-VIServer PowerCLI command.

Connect-VIServer -Server 192.168.11.87 -user <your account> -password <your password>

Next, let’s list the managed ESXi hosts; I have 3 nested hosts in my test environment as shown next.

Get-VMHost

Name ConnectionState PowerState NumCpu CpuUsageMhz CpuTotalMhz MemoryUsageGB MemoryTotalGB Version
---- --------------- ---------- ------ ----------- ----------- ------------- ------------- -------
192.168.11.63 Connected PoweredOn 4 424 8400 6.218 7.999 6.0.0
192.168.11.65 Connected PoweredOn 4 2544 8400 2.414 8.000 6.0.0
192.168.11.64 Connected PoweredOn 4 294 8400 2.431 8.000 6.0.0

Putting it all together, we first enumerate all the hosts. We then pipe the list of hosts into foreach. This returns a list of enabled and running services which is filtered using the SSH keyword as before. Finally, we start the SSH service irrespective if it’s already running or not.

Note: $_ corresponds to the current object in the pipeline. This is usually followed by an object’s property name.

Get-VMHost | foreach { get-vmhostservice -VMHost $_.name | where {$_.Key -eq "TSM-SSH"} | Start-VMHostService}

To stop the SSH service, simply substitute Start-VMHostService with Stop-VMHostService.  To disable confirmation, add -confirm:$false to the end of the command.

The following videos, illustrate each of the methods covered today.

https://youtube.com/watch?v=tuPHT_qGWpM

https://youtube.com/watch?v=bi-78egWg50

https://youtube.com/watch?v=6Qa6ZkViewM

That’s all there is to it, really. I think you’ll find that managing services with PowerCLI is faster and more convenient to using console or any of the vSphere clients.

[the_ad id=”4738″][the_ad id=”4796″]