VMware Cloud Community
DanielJGF
Enthusiast
Enthusiast

©ESXi 8.0 blocks community binaries

It seems that last version of ©ESXi (8.0) does not allow to install nor execute communty supported binaries within the ©ESXi hypervisor OS.

According to ©VMWare documentation, it seems that execution of binaries not signed by ©VMWare is plainly blocked.

https://kb.vmware.com/s/article/76276

Are there any plans to reconsider this limitation?.

 

 

0 Kudos
9 Replies
DCasota
Expert
Expert

Hi,

Manage the acceptance levels of ESXi  hosts has been introduced a long time ago.

For ESXi 8.0, see https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-751034F3-5337-4DB2-8272-8DAC0980...

Be aware:

In these days of TPM 2.0, Secure Boot and VM Encryption, there is no upgrade path for community supported drivers. This ecosystem didn't survive. Facing the successful VMware fling program, of course there are exceptions.

The partner ecosystem pushed by VMware Partner Enthusiasts, Jedis, Evangelists, Experts must take that chip feature step.

0 Kudos
DanielJGF
Enthusiast
Enthusiast

Thank you very much for your answer.

Still, setting the host to CommunitySupported

# esxcli software acceptance set --level=CommunitySupported;esxcli software acceptance get
# CommunitySupported

And setting the VMkernel.Boot.execInstalledOnly to false still results in foreign .vib files being rejected.

# esxcli software vib install -v /tmp/somevib.vib -f
[ProfileValidationError]
In ImageProfile (Updated) ESXi-8.0.0-20513097-standard, the payload(s) in VIB somevib does not have sha-256 gunzip checksum. This will prevent VIB security verification and secure boot from functioning properly. Please remove this VIB or please check with your vendor for a replacement of this VIB
Please refer to the log file for more details.


Also binaries already installed can't be executed:

-sh: ./somevib: Operation not permitted

 

0 Kudos
DCasota
Expert
Expert

Did you try the esxcli software param --no-sig-check ?

This is a VMware recipe for packages e.g. see here.

 

0 Kudos
DanielJGF
Enthusiast
Enthusiast

Yes, I also tried that flag, same result.

esxcli software vib install -v /tmp/somevib.vib -f --no-sig-check
[ProfileValidationError]
In ImageProfile (Updated) ESXi-8.0.0-20513097-standard, the payload(s) in VIB SOMEVIB does not have sha-256 gunzip checksum. This will prevent VIB security verification and secure boot from functioning properly. Please remove this VIB or please check with your vendor for a replacement of this VIB
Please refer to the log file for more details.

I am reading contradictory information, but some of this info points at the fact that ©VMWare has totally blocked execution of community supported binaries in ©ESXi 8.0.

https://williamlam.com/2015/05/a-docker-container-for-building-custom-esxi-vibs.html

No-CS-VIBs.png

 

0 Kudos
DCasota
Expert
Expert

Yes, true. Facing kb89619, good catch. Some vibs already failed or will fail.

A new hope from a community perspective, is the Tanzu vanguards skill building program, see the mission https://tanzu.vmware.com/vanguard.

The Tanzu portfolio has become a central piece. 'high-frequency trading in automatic updates' in a multi-cloud world by using open source and closed source of os, apps, tools, containers and artifacts is the new normal. Becoming a strong VMware partner this is the way. 

 

 

0 Kudos
DCasota
Expert
Expert

0 Kudos
anders_o
Enthusiast
Enthusiast

You have to disable the *runtime* setting of execInstalledOnly, not the boot setting. There is a description of the difference between them here: https://www.truesec.com/hub/blog/esxi-8-0-and-execinstalledonly-the-good-the-bad-and-the-ugly

Scroll down to the section called "The Ugly" and run the command listed in the screenshot to disable execInstalledOnly.

 

chjing
Contributor
Contributor

This doesn't work, neither.

[root@pek2-hs1-d0202:/vmfs/volumes] esxcli software vib install -v /vmfs/volumes/5e8364a1-63b04e26-9a9a-e4434bafaba0/NVIDIA-vGPU-kepler-VMware_ESXi_6.5_Host_Driver_367.134-1OEM.650.0.0.4598673.vib --force --no-sig-check

 

[ProfileValidationError]

In ImageProfile (Updated) ESXi-8.0.0-20513097-standard, the payload(s) in VIB NVIDIA_bootbank_NVIDIA-kepler-VMware_ESXi_6.5_Host_Driver_367.134-1OEM.650.0.0.4598673 does not have sha-256 gunzip checksum. This will prevent VIB security verification and secure boot from functioning properly. Please remove this VIB or please check with your vendor for a replacement of this VIB

Please refer to the log file for more details.

0 Kudos
chjing
Contributor
Contributor

[root@pek2-hs1-d0202:/vmfs/volumes] esxcli system settings kernel list | grep execInstalledOnly
execInstalledOnly Bool FALSE FALSE FALSE Execute only those files that have been installed via a vib package and have not been modified.

 

[root@pek2-hs1-d0202:/vmfs/volumes] esxcli software acceptance get
CommunitySupported

[root@pek2-hs1-d0202:/vmfs/volumes] esxcfg-advcfg --get-kernel execInstalledOnly
execInstalledOnly = FALSE

[root@pek2-hs1-d0202:/vmfs/volumes] esxcli system settings advanced list -o /User/execInstalledOnly
Path: /User/ExecInstalledOnly
Type: integer
Int Value: 0
Default Int Value: 1
Min Value: 0
Max Value: 1
String Value:
Default String Value:
Valid Characters:
Description: Runtime option to disable/enable execInstalledOnly. The runtime option is only checked if the related execInstalledOnly kernel option is disabled.
Host Specific: false
Impact: none

 

I have done everything, but still cannot install the Nvidia vib about vGPU on a ESXi 8.0 host.

0 Kudos