VMware VMUG Community
kingcap3
Contributor
Contributor
‎11-29-2011 06:30 AM

vsphere 4.1 lockdown mode

We had an issue where we enabled lockdown through vCenter for a couple of ESXi vsphere 4.1 hosts, our vCenter Server is a Physical Server. We had a powerdown over the weekend, and when we brought up our vCenter Server, the vCenter Server service wouldnt start and so we couldnt connect to vCenter, and so we couldnt then start all our VM guests, which included our AD servers and a number of other application servers. So we then tried to connect the vsphere client to the individual ESXi hosts just to be able to start the guests directly on each ESXi hosts,  I have found that with lockdown mode enabled, you cant even connect directly to the ESXi hosts, or even login to the ESXi host console and do a ALT F1 and login as root, as this option is denied, and we also cant disable lockdon mode using F2 as it is greyed out. So my question is, if you have enabled lockdown mode through vCenter Server, and your vCenter server is broken for whatever reason, you cant start any guests?????! So to me this represents a Single point of failure, with no back door option to be able to connect directly to the ESXi hosts to start guests, if you cant get on your vCenter. Is my understanding and description correct with regard this situation

Reply
0 Kudos
4 Replies
nsolop
Expert
Expert
‎11-29-2011 07:55 AM

Hi, it's supposed that you have another local account (not the root account) to manage your hosts when lockdown mode is enabled so you can manage your servers with those accounts.

Take a look at http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=101762...

Hope this helps.

Regards,

Nicolás

Reply
0 Kudos
kingcap3
Contributor
Contributor
‎11-29-2011 08:08 AM

Nicolas,

As we have vsphere 4.1 would this still apply as it seems to indicate that in vsphere 4.1 when you enable lockdown mode it disables access from local accounts, and that all management must be performed through vCenter Server??

In vSphere 4.1, when you enable lockdown mode, permissions are removed from all local accounts, and all management must be performed through vCenter Server.

Thanks

Andy

Reply
0 Kudos
nsolop
Expert
Expert
‎11-29-2011 08:10 AM

hi again Andy,

I think that the restrictions only applies for the root account but will check that out on my lab and let you know.

Nicolás!

Reply
0 Kudos
nava_thulasi39
Expert
Expert
‎01-23-2012 04:46 AM

Hi,

It might be a late reply.

In vsphere 4, enabling Lockdown mode prevents only root account.

But in vsphere 4.1, it prevents all the users to login to the host directly.

http://blogs.vmware.com/esxi/2010/09/the-new-lockdown-mode-in-esxi-41.html

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
Reply
0 Kudos