My issue as stated above, is that the user recieves the error when trying to get the disk usage for each VMFS. I would need to modify the permissions on the char. device for it to work, but i wanted to know what this is used for and if it is bad practice/bad idea to do so.

lol. In caps, I thought you were referring to some unknown acronym.

Anyway, vdf is a wrapper, that ultimately runs vmkfstools. vmkfstools requires you to run it as root, hence the error.

You can modify the permissions on the /dev/vmkcall, there are no associated issues that I know of. It's working for me.

P.S., I'm not sure I would give access to a regular user to execute vmkernel commands.

-KjB

Message was edited by: kjb007 : added P.S.

Hello,

From a security perspective access to vmkfstools or vdf when not running as root is a very bad idea. Instead I would suggest you create a sudo entry that allows the user in question to run the command appropriately as the root user. This way you can log their command usage and see if they are abusing the privilege. VDF run too often is also not a good thing.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Basically, the whole point of this is to have a service user remotely login via script and pull the data from vdf (including the VMFS) for disk capacity monitoring. I would like to accomplish this with as little security risks as possible.

For that purpose, I would strongly suggest looking into the VI Toolkit. The powershell toolkit in particular has built-in functions to get this information, and the script would be a 1 liner.

-KjB

Is there a Linux version, perhaps in perl or bash?

Yes, there is a perl vi toolkit as well. I mentioned powershell as that is what I use. The perl toolkit has been around longer and is very powerful as well, but I am not as familiar with that as the powershell toolkit.

-KjB

Hello,

I use the vi perl toolkit and it is indeed very powerful and has plenty of functionality. However, one thing to be aware, is that it requires a password to the system either VC or the ESX host in order to use. If you use VC then the user can use their own or you can use a 'service' user of some type. But you will still have to encode the password in the file somehow to 'automate' the process. That is a security risk if the file has the wrong permissions, etc.

Scripting of things that require passwords require their own protections. THere is one other way to make this work without passwords, but if coded incorrectly leaves a hole in your system that you could fly a Boing 777 through. It is better to require passwords and not to code them into programs, scripts, or bypass this level of security.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

So basically, if i don't encypt the password in the script, I'm kinda screwed. This would be a lot easier if the VMFS were obtainable via SNMP. BTW, Zenoss is the application I'm using to monitor the ESX servers. So if anyone has a better way to do so, please let me know.

Have you thought about using sudo? You can configure it to allow certain commands to run (as root) without requiring further authentication.. It just needs to be configured in the sudoers file. You could have the account you're using for zenoss that logs in via ssh (I'm assuming using shared keys) be allowed to execute vdf without requiring to re-authenticate.. It'd be the cleanest (and simplest) way moving forward, probably. You stated concerns of a security risk, but I'm not sure where the security risk comes in here... The whole point of sudo is to mitigate security risk and provide better auditing and accountability for granting root level permissions

Hello,

If sudo is used within a script and the user has permission to run the script then you may need a controlling terminal. If that is so then the script with sudo in it will fail fairly badly.

I do know this information is achievable. Unnoc uses it as does HPSIM/VMM so you can get the information programatically.

Perhaps zenoss already has something they use?

Diztorted is also correct, I would configure sudo and try it within a script like the following. If this works through SSH then you are golden.

#!/bin/sh
sudo vdf

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Ok, I configured the server to use sudo and got what I needed out of it. Again, if SNMP could include all or most of the ESX resources that would be superb.

Hello,

I would open with your VMware Support Representative a request for improvement with those comments. The more of those they get, the more chances the support you desire will be added.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization