Thursday, July 15, 2010

vSphere 4.1 upgrade gotchas: ssh, vCenter changes

With the release of vSphere 4.1 this week, we upgraded the lab cluster to check out the new features - especially the vStorage API stats like latency & IOPS.
After instantiating a new vCenter VM (64bit windows 2008 - because 4.1 requires 64bit now) - I used the new 4.1 vCenter (loaded with the 4.1 upgrade zip file (upgrade-from-ESX4.0-to-4.1.0-0.0.260247-release.zip)). Each of the Dell 1950 nodes in the lab cluster completed the upgrade and reboot in under 15 minutes.
But what we found was we could not longer ssh into the 4.1 nodes with our user accounts.
In /var/log/messages we saw (because we could get in as root on the console):
error: PAM: Permission denied for useracct from sourceIP

The /etc/passwd accounts were intact, and we could su - useracct - so what changed?

Turns out on the bottom of page 65 of the vsp_41_upgrade_guide.pdf the user accounts now need to be listed as root group members to allow ssh for them:

NOTE After upgrading to ESX 4.1, only the Administrator user has access to the service console. To grant service console access to other users after the upgrade, consider granting the Administrator permissions to other users.

So editting the /etc/group file and adding all the users we had in the wheel group for sudo access to the root group fixed the issue immediately.

If VMware's intent was to get the attention of ESX users "Hey 4.1 is the last ESX version - get migrating to ESXi!" - mission accomplished :)

Other than those minor hiccups (64 bit required for vCenter, ssh breaking) we are impressed with all the new features and performance improvements VMware has packed into a "minor" (4.0->4.1) release.

4 comments:

Surya Kiran said...

edit /etc/security/access.conf

+:root:ALL
+:vpxuser:ALL
+:vslauser:ALL
-:ALL:ALL (Deny all)

adding a +:YourUser:ALL did the trick for me. I didn't have to all all the users to root group.

-Surya

Surya Kiran said...

edit /etc/security/access.conf

+:root:ALL
+:vpxuser:ALL
+:vslauser:ALL
-:ALL:ALL (Deny all)

adding a +:YourUser:ALL did the trick for me. I didn't have to all all the users to root group.

-Surya

Amy said...

The problem with editing the access.conf is upon reboot the +:YourUser:ALL that you added is removed...

bobbydamercer said...

Hey amy,

And what is the solution?

How to make these changes persistent across reboot?