michelev
Contributor
Contributor

[VCF]: RFE for VMware SoS Utility "--password-health" option

[VCF]: Request For Enhancement (RFE) for VMware Supportability and Serviceability (SoS) Utility Software "--password-health" option.

** Scope ** : Enhancement Supportability and Serviceability (SoS) Utility software
 
** Request for Enhancement (RFE) ** : Description
 
Please insert the SDDC Manager 'backup' local user account on the '--password-health' SoS option check. The '--password-health' SoS options check only the SDDC Manager 'root' & 'vcf' local user account.

The VCF precheck upgrade failed when the password of SDDC Manager 'backup' user local account expired (this account password will be valid only for 365 days by default). 

** Example ** :

# Find default SDDC Manager local users

root@mysddcvcf [ ~ ]# cat /etc/passwd | egrep -v '/bin/false|/sbin/nologin'
root:x:0:0:root:/root:/bin/bash
vcf:x:1000:996::/home/vcf:/bin/bash
backup:x:1001:994::/home/backup:/bin/bash
root@mysddcvcf [ ~ ]#
 
# Check my SoS version

root@mysddcvcf [ ~ ]#  /opt/vmware/sddc-support/sos --version
4.4.0.0-19312028
 
# Check password health of my VCF Management Domain (including SDDC Manager) before trying VCF upgrade precheck.

root@mysddcvcf [ ~ ]# /opt/vmware/sddc-support/sos --password-health
Welcome to Supportability and Serviceability(SoS) utility!
<..Output Truncated..>
Password Expiry Status : GREEN
+-----+---------------------------------------------+-------------------------+-------------------+--------------+-----------------+-------+
| SL# |                  Component                  |           User          | Last Changed Date | Expiry Date  | Expires in Days | State |
+-----+---------------------------------------------+-------------------------+-------------------+--------------+-----------------+-------+
<..Output Truncated..>
|  10 |       SDDC : mysddcvcf.example.local        |           vcf           |    May 31, 2022   |    Never     |      Never      | GREEN | <- missing 'backup' local user account
|     |                                             |           root          |    May 31, 2022   |    Never     |      Never      | GREEN | <- missing 'backup' local user account
<..Output Truncated..>
+-----+---------------------------------------------+-------------------------+-------------------+--------------+-----------------+-------+
Progress : 100%, Completed tasks : [VCF-SUMMARY, PASSWORD-CHECK]
<..Output Truncated..>
Health Check completed successfully for : [VCF-SUMMARY, PASSWORD-CHECK]
root@mysddcvcf [ ~ ]#

** Reference(s) & Link(s) ** :

 
** How to reproduce the issue ** :

The backup account is expired.

root@mysddcvcf [ ~ ]# chage -l backup
Last password change : Mar 02, 2021
Password expires : Mar 02, 2022 –> If you see here , it looks like the password was already expired.
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 365
Number of days of warning before password expires : 7

The VCF precheck upgrade failed and on lcm-debug.log found this message:  

Please verify that the account is active and is not locked, you might need to fix the workflow(s) for resources marked in error state. If the password of the account has expired, manually reset the password in the product and then perform a REMEDIATE operation in the SDDC Manager, to update its stored copy of the password.

root@mysddcvcf [ ~ ]# gzip -d /var/log/vmware/vcf/lcm/lcm.2022-09-27.0.log-debug.gz
root@mysddcvcf [ ~ ]# grep PASSWORD_MANAGER_COMMAND_EXECUTION_IN_VM_FAILED /var/log/vmware/vcf/lcm/lcm.2022-09-27.0.log-debug
2022-09-27T13:52:41.560+0000 DEBUG [vcf_lcm,b49adccb547a443d,770a,precheckId=e380ca9e-32c5-444f-96b9-188ce68ff024,resourceType=DEPLOYMENT_CONFIGURATION,resourceId=4760488e-aef1-462e-8003-5f8367c0a6a8] [c.v.e.s.l.c.v.p.PasswordUtils,Precheck-Single-1] Response object: {"statusCode":200,"response":{"id":"bfd3ce55-380b-4d6a-9f76-3f1411449750","description":"Validating Credentials for BACKUP.","executionStatus":"*****","validationChecks":[{"description":"Validating Credentials for resource BACKUP_FTP_4760488e-aef1-462e-8003-5f8367c0a6a8.","resultStatus":"*****","resourceName":"mysddcvcf.example.local","resourceId":"4760488e-aef1-462e-8003-5f8367c0a6a8","resourceType":"BACKUP","credentialType":"*****","username":"backup","passwordDetails":{"validityStatus":"INVALID","expiryDataRetrievalStatus":"UNKNOWN"},"errors":[{"errorCode":"PASSWORD_MANAGER_COMMAND_EXECUTION_IN_VM_FAILED","arguments":[],"message":"*****","remediationMessage":"Please verify that the account is active and is not locked, you might need to fix the workflow(s) for resources marked in error state. If the password of the account has expired, manually reset the password in the product and then perform a REMEDIATE operation in the SDDC Manager, to update its stored copy of the password.","causes":[{"message":"*****"}],"referenceToken":"ANTOK2"}]}]},"headers":{"Server":"nginx","Date":"Tue, 27 Sep 2022 13:52:41 GMT","Content-Type":"application/json","Connection":"close","X-Content-Type-Options":"nosniff","X-XSS-Protection":"1; mode=block","Cache-Control":"no-cache, no-store, max-age=0, must-revalidate","Pragma":"no-cache","Expires":"0","X-Frame-Options":"DENY"}}
root@mysddcvcf [ ~ ]#


HTH

Michele V.
Labels (1)
1 Reply
padapa
Contributor
Contributor

is there a question here or just providing information?

0 Kudos