ChadAbeln01
Contributor
Contributor

Invoke-VMScript to interact with vtysh of the NSX L2VPN standalone client

Jump to solution

Hi community, I am looking for anyone who may know if it is possible to interact with the guest OS of the NSX L2VPN standalone client (6.4.10-latest) using PowerCli and the Invoke-VMScript cmdlet? I am not having success. The OS underneath appears to be "Linux from Scratch" and when executed, I keep getting "Invoke-VMScript Failed to authenticate with the guest operating system using the supplied credentials." I have tried both the root user and admin user which have the password's created upon Ovf deployment.

I have tried LucD's Invoke-VMScriptPlusv3 as well with no luck. In the logs on the OS I see the following

nsx-l2vpn-edge vmsvc[1655]: [default]: [authpriv.err] pam_access(vmtoolsd:auth): access denied for user 'admin' from 'console'

My end goal is to automate configuring HA on Standalone L2 VPN Clients. After Ovf deployment of two clients, it seems like you still to interact with the OS and perform the following steps outlined in this document: https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.4/com.vmware.nsx.admin.doc/GUID-9FE3...

Any help here is greatly appreciated. 

NSX Edge 6.4.10 (build 17539626 kernel 4.4.185)

Labels (6)
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership

Is that show service a command in the vtysh?

In that case you might try piping that to the command

echo show service l2vpn | /usr/local/bin/vtysh


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

21 Replies
LucD
Leadership
Leadership

This is most probably a pam issue, where access for admin from console is not allowed.

I don't know which Linux distro is used, but on a regular Linux box making a change in /etc/security/access.conf should help.
Add the entry +:admin:ALL in there.



Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
ChadAbeln01
Contributor
Contributor

Thanks LucD! That helped get me further but it appears I am interacting with bash and not vtysh that NSX is operating on. Any suggestions to interacting via vtysh?

$command = "show service l2vpn"

VERBOSE: 4/16/2021 10:08:08 AM Invoke-VMScript Finished execution

ScriptOutput
-----------------------------------------------------------------------------------------------------------------------|
| bash: -c: line 0: syntax error near unexpected token `;'
| bash: -c: line 0: ` ; show service l2vpn ; '
|
---------------------------------------------------------------------------------------------------------------------

If I execute again using $command = "uname -a" 
Linux nsx-l2vpn-edge 4.4.185 #1 SMP Sat Jan 30 07:41:59 GMT 2021 x86_64 GNU/Linux

0 Kudos
LucD
Leadership
Leadership

The Invoke-VMScript cmdlet places the commands on one line, separated with a semi-column.
Did you try the same with Invoke-VMScriptPlus?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
ChadAbeln01
Contributor
Contributor

Using v3 it looks like the results are the same.

Start : 4/16/2021 4:29:00 PM
ScriptType : bash
ScriptText : #!/usr/bin/env bash
vtysh;show service l2vpn
PidOwner : admin
Pid : 20229
ScriptOutput : /tmp/vmware-admin_1658-915018462/chad.abeln_329944vmware76/chad.abeln_329944vmware161: line 2: vtysh: command not found
/tmp/vmware-admin_1658-915018462/chad.abeln_329944vmware76/chad.abeln_329944vmware161: line 2: show: command not found

ExitCode : 127
ScriptSize : 42
GuestOS : Linux

If I manually execute from the "start engineer" prompt which drops me into bash as root, I think its trying to send the show command to bash and not the vtysh prompt.

ChadAbeln01_1-1618590772907.png

 

 

0 Kudos
LucD
Leadership
Leadership

Did you check if the account you use actually logs into the bash shell?
That vtysh doesn't seem to be found.
Is the directory in the Path?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
ChadAbeln01
Contributor
Contributor

Base deployment of the NSX L2VPN standalone edge

ChadAbeln01_1-1618596560373.png

 

 

Tags (1)
0 Kudos
LucD
Leadership
Leadership

Try using the full path to the command.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
ChadAbeln01
Contributor
Contributor

Much closer...

 

Start : 4/16/2021 6:34:25 PM
ScriptType : bash
ScriptText : #!/usr/bin/env bash
/usr/local/bin/vtysh;show service l2vpn
PidOwner : admin
Pid : 26110
ScriptOutput : Name: NSX Edge
Version: 6.4.10
Build number: 17539626
Kernel: 4.4.185

nsx-l2vpn-edge> nsx-l2vpn-edge> % Unknown command.
nsx-l2vpn-edge> nsx-l2vpn-edge> nsx-l2vpn-edge> /tmp/vmware-admin_1658-915018462/chad.abeln_329944vmware168/chad.abeln_329944vmware229: line 2:
show: command not found

ExitCode : 127
ScriptSize : 63
Finish : 4/16/2021 6:36:28 PM
GuestOS : Linux

0 Kudos
LucD
Leadership
Leadership

Did you try with the commands on separate lines?

/usr/local/bin/vtysh
show service l2vpn


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
ChadAbeln01
Contributor
Contributor

$pScript = @'
         /usr/local/bin/vtysh
         show service l2vpn
'@

Pid : 3068
ScriptOutput : Name: NSX Edge
Version: 6.4.10
Build number: 17539626
Kernel: 4.4.185

nsx-l2vpn-edge> nsx-l2vpn-edge> % Unknown command.
nsx-l2vpn-edge>
/tmp/vmware-admin_1655-3346586392/chad.abeln_15516vmware18/chad.abeln_15516vmware33: line 3: show: command not found

ExitCode : 127
ScriptSize : 69
Start : 4/16/2021 9:00:23 PM
ScriptType : bash
PidOwner : admin
OutFiles :
Finish : 4/16/2021 9:01:28 PM
GuestOS : Linux
ScriptText : #!/usr/bin/env bash
/usr/local/bin/vtysh
show service l2vpn

No dice. Checking the log file it looks like it gets into the vtysh...

ChadAbeln01_0-1618607224031.png

 

0 Kudos
LucD
Leadership
Leadership

Is that show service a command in the vtysh?

In that case you might try piping that to the command

echo show service l2vpn | /usr/local/bin/vtysh


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

ChadAbeln01
Contributor
Contributor

Nice, that worked! Any suggestions how I would address having to pass a password to get into privileged mode?

This works:

$pScript = @'
         echo show service l2vpn | /usr/local/bin/vtysh
'@

ScriptOutput : Name: NSX Edge
Version: 6.4.10
Build number: 17539626
Kernel: 4.4.185

nsx-l2vpn-edge> enable
Password:
Authentication failed!
nsx-l2vpn-edge>
/tmp/vmware-admin_1655-3346586392/chad.abeln_15516vmware144/chad.abeln_15516vmware21: line 3: <password omitted>: command not found

0 Kudos
LucD
Leadership
Leadership

If you change the echo string to include all that, including the password, each separated by \n, does that work?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
ChadAbeln01
Contributor
Contributor

$pScript = @'
echo enable \n password \n configure terminal | /usr/local/bin/vtysh
'@

Pid : 29237
ScriptOutput : Name: NSX Edge
Version: 6.4.10
Build number: 17539626
Kernel: 4.4.185

nsx-l2vpn-edge> enable n password n configure terminal n
% Unknown command.
nsx-l2vpn-edge>

ExitCode : 0
ScriptSize : 117
Start : 4/17/2021 4:04:38 PM
ScriptType : bash
PidOwner : admin
OutFiles :
Finish : 4/17/2021 4:04:39 PM
GuestOS : Linux
ScriptText : #!/usr/bin/env bash
echo enable \n password \n configure terminal | /usr/local/bin/vtysh

0 Kudos
LucD
Leadership
Leadership

The newline (\n) doesn't seem to work in that shell.
You'll have to find out which combination does.
I don't have access to that shell right now.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
ChadAbeln01
Contributor
Contributor

Beginning to think it may just not be possible. Tried many different variations to try and have it pass the password but they always seem end up on the next line or never passed. Closest example below.

Pid : 12287
ScriptOutput : Name: NSX Edge
Version: 6.4.10
Build number: 17539626
Kernel: 4.4.185

nsx-l2vpn-edge> enable
Password:
Authentication failed!
nsx-l2vpn-edge>
Password

ScriptText : #!/usr/bin/env bash
echo -e 'enable' | /usr/local/bin/vtysh && echo -e 'Password\r'
echo -e 'configure terminal' | /usr/local/bin/vtysh

0 Kudos
LucD
Leadership
Leadership

Did you already try the password with a redirect?

echo -e 'enable' | /usr/local/bin/vtysh < password

 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
LucD
Leadership
Leadership

Ultimately you could try with Set-VMKeystrokes, see Automating VM keystrokes using the vSphere API & PowerCLI


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
ChadAbeln01
Contributor
Contributor

Thanks Luc, I did try with the redirect as well. 

ScriptOutput : /tmp/vmware-admin_1655-3346586392/chad.abeln_15516vmware222/chad.abeln_15516vmware41: line 2: PASSWORDHERE: No such file or directory
/tmp/vmware-admin_1655-3346586392/chad.abeln_15516vmware222/chad.abeln_15516vmware41: line 2: echo: write error: Broken pipe
Name: NSX Edge
Version: 6.4.10
Build number: 17539626
Kernel: 4.4.185

nsx-l2vpn-edge> configure terminal
% Unknown command.
nsx-l2vpn-edge>

ExitCode : 0
ScriptText : #!/usr/bin/env bash
echo -e 'enable' | /usr/local/bin/vtysh < PASSWORDHERE
echo -e 'configure terminal' | /usr/local/bin/vtysh

The Set-VMKeystrokes is great but I don't believe it allows me to capture the output.

0 Kudos