anders_o's Posts

Now I got the following thing to add in the .vmx file: cpuid.1.ecx="----:---0:----:----:----:----:----:----" I tried adding it, and it seemed to work: My VM didn't freeze despite running it for several hours, hibernating my host OS etc. Those of you who still have the problem, can you try changing the virtualHW.version back to "20" or whatever was your original value, recreate the original problem with the hang/freeze, and then try the cpuid.. line in your .vmx? I'm on Workstation version 17.0.2 build-21581411 now, by the way.

I got the following advice from VMware Support (see below). It didn't prevent the Linux VM from hanging on the first attempt, but I think I should try to shut down and start up my host OS fully to perform a fair test of it. Kindly follow the below steps and let us know if it helps to improve the situation Disable fast start up from host machine -Right-click the Start button. -Click Search. -Type Control Panel and hit Enter on your keyboard. -Click Power Options. -Click Choose what the power buttons do. -Click Change settings that are currently unavailable. -Click Turn on fast startup (recommended) so that the checkmark disappears. -Click Save changes.

I tried the "powercfg /powerthrottling disable.." suggested by @noxware above, and it unfortunately did not help against Linux VMs hanging after a while. Lowering the vHW version as described in my previous posts is still the only thing that has worked for me. I'm running Windows 10 21H1, 19043.2364 and have to run the Hyper-V components since some Windows security features rely on it. (EDIT): I had these problems on WS 16 (never tried 16.2.5, though) and on WS 17.0.0 and the current 17.0.1.

That's a fair question. Spontaneously, I'd say the text you quoted is from the pre-8.0 versions and is still correct, but it hasn't been clarified to include this new 8.0 feature. Try clicking the Feedback link on that page and ask. They do read the feedback, as we could see in my case above. Since removing the Shell Access for vpxuser is described in the Docs page it should be fully supported, and I don't see any problems with removing only Shell Access. vpxuser still has full Admin rights on the ESXi host and can read and write everything necessary to manage the ESXi host from vCenter Server.

And a couple of days ago I also wrote a blog post about how this setting looks very promising as a protection for preventing vSphere ransomware attacks from succeeding: https://www.truesec.com/hub/blog/how-to-prevent-ransomware-attackers-from-taking-over-your-esxi-8-0-hosts

Oh, that's interesting. I was testing on 17.0, but I can now see that 16.2.5 was actually released after 17.0. Just upgraded to 17.0.1 and will try to bump one of my test VMs back up to vHW 20 and see if it still freezes. (EDIT): Yes, it still freezes. I'll keep working my way down from vHW 20 to 10 to see where the problems stop.

Here's the .vmx file for the working Ubuntu VM. I made a clone of it to be able to compare the original and the "fixed" version, and so far the fixed one hasn't hung a single time, but unfortunately I've managed to break the vNIC, so it doesn't have a working network connection. The original VM was named "Ubuntu 22.10 Base" and the new clone is named "fixed-Ubuntu 22.10 Base". What I've done is basically to comment out (using the # character) the lines that existed in my Ubuntu vmx but did not exist in the VCSA vmx file (posted in my previous reply above). I've also changed the virtualHW.version to "10" from "20". .encoding = "windows-1252" config.version = "8" virtualHW.version = "10" # mks.enable3d = "TRUE" pciBridge0.present = "TRUE" pciBridge4.present = "TRUE" pciBridge4.virtualDev = "pcieRootPort" pciBridge4.functions = "8" pciBridge5.present = "TRUE" pciBridge5.virtualDev = "pcieRootPort" pciBridge5.functions = "8" pciBridge6.present = "TRUE" pciBridge6.virtualDev = "pcieRootPort" pciBridge6.functions = "8" pciBridge7.present = "TRUE" pciBridge7.virtualDev = "pcieRootPort" pciBridge7.functions = "8" vmci0.present = "TRUE" # hpet0.present = "TRUE" # nvram = "Ubuntu 22.10 Base.nvram" virtualHW.productCompatibility = "hosted" # powerType.powerOff = "soft" # powerType.powerOn = "soft" # powerType.suspend = "soft" # powerType.reset = "soft" displayName = "fixed-Ubuntu 22.10 Base" # usb.vbluetooth.startConnected = "TRUE" guestOS = "ubuntu-64" tools.syncTime = "TRUE" # sound.autoDetect = "TRUE" # sound.fileName = "-1" # sound.present = "TRUE" numvcpus = "2" cpuid.coresPerSocket = "1" vcpu.hotadd = "TRUE" memsize = "4096" mem.hotadd = "TRUE" scsi0.virtualDev = "lsilogic" scsi0.present = "TRUE" # sata0.present = "TRUE" scsi0:0.fileName = "Ubuntu 22.10 Base-cl1.vmdk" scsi0:0.present = "TRUE" # sata0:1.deviceType = "cdrom-image" # sata0:1.fileName = "C:\Users\[my username]\Downloads\ubuntu-22.10-live-server-amd64.iso" # sata0:1.present = "TRUE" # usb.present = "TRUE" # ehci.present = "TRUE" # svga.graphicsMemoryKB = "8388608" ethernet0.addressType = "generated" ethernet0.virtualDev = "e1000" # serial0.fileType = "thinprint" # serial0.fileName = "thinprint" ethernet0.present = "TRUE" # serial0.present = "TRUE" extendedConfigFile = "fixed-Ubuntu 22.10 Base.vmxf" floppy0.present = "FALSE" tools.upgrade.policy = "useGlobal" vmxstats.filename = "Ubuntu 22.10 Base.scoreboard" uuid.bios = "56 4d f4 5c 07 3a 45 65-12 40 da 24 58 07 ea 03" uuid.location = "56 4d f4 5c 07 3a 45 65-12 40 da 24 58 07 ea 03" pciBridge0.pciSlotNumber = "17" pciBridge4.pciSlotNumber = "21" pciBridge5.pciSlotNumber = "22" pciBridge6.pciSlotNumber = "23" pciBridge7.pciSlotNumber = "24" scsi0.pciSlotNumber = "16" # usb.pciSlotNumber = "32" ethernet0.pciSlotNumber = "32" # sound.pciSlotNumber = "34" # ehci.pciSlotNumber = "35" # sata0.pciSlotNumber = "36" scsi0:0.redo = "" svga.vramSize = "134217728" vmotion.checkpointFBSize = "134217728" # vmotion.checkpointSVGAPrimarySize = "268435456" # vmotion.svga.mobMaxSize = "1073741824" # vmotion.svga.graphicsMemoryKB = "8388608" # vmotion.svga.supports3D = "1" # vmotion.svga.baseCapsLevel = "9" # vmotion.svga.maxPointSize = "1" # vmotion.svga.maxTextureSize = "16384" # vmotion.svga.maxVolumeExtent = "2048" # vmotion.svga.maxTextureAnisotropy = "16" # vmotion.svga.lineStipple = "0" # vmotion.svga.dxMaxConstantBuffers = "15" # vmotion.svga.dxProvokingVertex = "0" # vmotion.svga.sm41 = "1" # vmotion.svga.multisample2x = "1" # vmotion.svga.multisample4x = "1" # vmotion.svga.msFullQuality = "1" # vmotion.svga.logicOps = "1" # vmotion.svga.bc67 = "9" # vmotion.svga.sm5 = "1" # vmotion.svga.multisample8x = "1" # vmotion.svga.logicBlendOps = "0" # vmotion.svga.maxForcedSampleCount = "16" # vmotion.svga.gl43 = "1" ethernet0.generatedAddress = "00:0c:29:07:ea:03" ethernet0.generatedAddressOffset = "0" vmci0.id = "-892196212" monitor.phys_bits_used = "40" cleanShutdown = "FALSE" softPowerOff = "FALSE" # usb:1.speed = "2" # usb:1.present = "TRUE" # usb:1.deviceType = "hub" # usb:1.port = "1" # usb:1.parent = "-1" # svga.guestBackedPrimaryAware = "TRUE" guestInfo.detailed.data = "architecture='X86' bitness='64' distroName='Ubuntu 22.10' distroVersion='22.10' familyName='Linux' kernelVersion='5.19.0-29-generic' prettyName='Ubuntu 22.10'" # sata0:1.startConnected = "FALSE" # tools.remindInstall = "TRUE" # usb:0.present = "TRUE" # usb:0.deviceType = "hid" # usb:0.port = "0" # usb:0.parent = "-1" ethernet0.connectionType = "nat" nvram = "fixed-Ubuntu 22.10 Base.nvram" vc.uuid = "" policy.vm.mvmtid = ""    

Hi. I'm having the same problems, but I can't turn off the Hyper-V features, since we use them for (corporate mandatory) security features. However, I think I've managed to get some promising results by "stealing" some vmx settings from my VCSA that is also running in Workstation and is not freezing. Check out my post in the other thread at https://communities.vmware.com/t5/VMware-Workstation-Pro/VMWare-Workstation-16-Pro-Ubuntu-22-04-1-VM-unresponsive-with/m-p/2952371/highlight/true#M179898

I've been having the same lockup problems that are described here with different versions of Ubuntu freezing after between 15-60 minutes of usage. Host OS is Windows 10 with the monthly patches regularly being installed. The thing is that I'm also running vCenter Server Appliance (VCSA) as a Workstation VM, and it doesn't lock up. So I posted my question in the vExpert community and someone suggested I compare my .vmx files between the VCSA and my Ubuntu machines. So I made a backup copy of my Ubuntu .vmx file and made some drastic changes to make it look more like the VCSA .vmx and now my Ubuntu has been running for 4-5 hours without locking up. However, I won't pop the champagne just yet, since this might just be a fluke. Can you perhaps try to do the same experiment as I did and comment out, change or remove the superfluous lines in a Linux VM .vmx to more or less match my VCSA .vmx and see if it helps you as well? Hopefully we can "divide and conquer" this down to the one or more settings that might be the culprit of the lockups. (Another "small" problem is that I've managed to break the networking in my test Ubuntu, but that's probably fixable) Below is my VCSA .vmx. Note that it's running off a snapshot, so don't change any of the scsi disk settings in your VMs, just focus on the extra config rows that you might have in your Linux .vmx. .encoding = "UTF-8" displayname = "vCenter Server 8.0" annotation = "VMware vCenter Server Appliance" guestos = "other3xlinux-64" virtualhw.version = "10" config.version = "8" numvcpus = "2" cpuid.coresPerSocket = "1" memsize = "14336" pciBridge0.present = "TRUE" pciBridge4.present = "TRUE" pciBridge4.virtualDev = "pcieRootPort" pciBridge4.functions = "8" pciBridge5.present = "TRUE" pciBridge5.virtualDev = "pcieRootPort" pciBridge5.functions = "8" pciBridge6.present = "TRUE" pciBridge6.virtualDev = "pcieRootPort" pciBridge6.functions = "8" pciBridge7.present = "TRUE" pciBridge7.virtualDev = "pcieRootPort" pciBridge7.functions = "8" vmci0.present = "TRUE" ide0:0.clientDevice = "FALSE" ide0:0.present = "TRUE" ide0:0.deviceType = "atapi-cdrom" ide0:0.autodetect = "TRUE" ide0:0.startConnected = "FALSE" ide0:0.allowguestconnectioncontrol = "true" scsi0:0.present = "TRUE" scsi0:0.deviceType = "disk" scsi0:0.fileName = "vCenter Server 8.0-disk1-000002.vmdk" scsi0:0.allowguestconnectioncontrol = "false" scsi0:0.mode = "persistent" scsi0:1.present = "TRUE" scsi0:1.deviceType = "disk" scsi0:1.fileName = "vCenter Server 8.0-disk2-000002.vmdk" scsi0:1.allowguestconnectioncontrol = "false" scsi0:1.mode = "persistent" scsi0:2.present = "TRUE" scsi0:2.deviceType = "disk" scsi0:2.fileName = "vCenter Server 8.0-disk3-000002.vmdk" scsi0:2.allowguestconnectioncontrol = "false" scsi0:2.mode = "persistent" scsi0:3.present = "TRUE" scsi0:3.deviceType = "disk" scsi0:3.fileName = "vCenter Server 8.0-disk4-000002.vmdk" scsi0:3.allowguestconnectioncontrol = "false" scsi0:3.mode = "persistent" scsi0:4.present = "TRUE" scsi0:4.deviceType = "disk" scsi0:4.fileName = "vCenter Server 8.0-disk5-000002.vmdk" scsi0:4.allowguestconnectioncontrol = "false" scsi0:4.mode = "persistent" scsi0:5.present = "TRUE" scsi0:5.deviceType = "disk" scsi0:5.fileName = "vCenter Server 8.0-disk6-000002.vmdk" scsi0:5.allowguestconnectioncontrol = "false" scsi0:5.mode = "persistent" scsi0:6.present = "TRUE" scsi0:6.deviceType = "disk" scsi0:6.fileName = "vCenter Server 8.0-disk7-000002.vmdk" scsi0:6.allowguestconnectioncontrol = "false" scsi0:6.mode = "persistent" scsi0:8.present = "TRUE" scsi0:8.deviceType = "disk" scsi0:8.fileName = "vCenter Server 8.0-disk8-000002.vmdk" scsi0:8.allowguestconnectioncontrol = "false" scsi0:8.mode = "persistent" scsi0:9.present = "TRUE" scsi0:9.deviceType = "disk" scsi0:9.fileName = "vCenter Server 8.0-disk9-000002.vmdk" scsi0:9.allowguestconnectioncontrol = "false" scsi0:9.mode = "persistent" scsi0:10.present = "TRUE" scsi0:10.deviceType = "disk" scsi0:10.fileName = "vCenter Server 8.0-disk10-000002.vmdk" scsi0:10.allowguestconnectioncontrol = "false" scsi0:10.mode = "persistent" scsi0:11.present = "TRUE" scsi0:11.deviceType = "disk" scsi0:11.fileName = "vCenter Server 8.0-disk11-000002.vmdk" scsi0:11.allowguestconnectioncontrol = "false" scsi0:11.mode = "persistent" scsi0:12.present = "TRUE" scsi0:12.deviceType = "disk" scsi0:12.fileName = "vCenter Server 8.0-disk12-000002.vmdk" scsi0:12.allowguestconnectioncontrol = "false" scsi0:12.mode = "persistent" scsi0:13.present = "TRUE" scsi0:13.deviceType = "disk" scsi0:13.fileName = "vCenter Server 8.0-disk13-000002.vmdk" scsi0:13.allowguestconnectioncontrol = "false" scsi0:13.mode = "persistent" scsi0:14.present = "TRUE" scsi0:14.deviceType = "disk" scsi0:14.fileName = "vCenter Server 8.0-disk14-000002.vmdk" scsi0:14.allowguestconnectioncontrol = "false" scsi0:14.mode = "persistent" scsi0:15.present = "TRUE" scsi0:15.deviceType = "disk" scsi0:15.fileName = "vCenter Server 8.0-disk15-000002.vmdk" scsi0:15.allowguestconnectioncontrol = "false" scsi0:15.mode = "persistent" scsi0.virtualDev = "lsilogic" scsi0.present = "TRUE" scsi1:0.present = "TRUE" scsi1:0.deviceType = "disk" scsi1:0.fileName = "vCenter Server 8.0-disk16-000002.vmdk" scsi1:0.allowguestconnectioncontrol = "false" scsi1:0.mode = "persistent" scsi1:1.present = "TRUE" scsi1:1.deviceType = "disk" scsi1:1.fileName = "vCenter Server 8.0-disk17-000002.vmdk" scsi1:1.allowguestconnectioncontrol = "false" scsi1:1.mode = "persistent" scsi1.virtualDev = "lsilogic" scsi1.present = "TRUE" scsi2.virtualDev = "lsilogic" scsi2.present = "TRUE" ethernet0.present = "TRUE" ethernet0.virtualDev = "vmxnet3" ethernet0.connectionType = "custom" ethernet0.addressType = "generated" ethernet0.wakeonpcktrcv = "true" ethernet0.allowguestconnectioncontrol = "true" vcpu.hotadd = "true" vcpu.hotremove = "true" mem.hotadd = "true" toolscripts.afterpoweron = "true" toolscripts.afterresume = "true" toolscripts.beforepoweroff = "true" toolscripts.beforesuspend = "true" extendedConfigFile = "vCenter Server 8.0.vmxf" virtualHW.productCompatibility = "hosted" floppy0.present = "FALSE" tools.upgrade.policy = "useGlobal" uuid.bios = "56 4d f3 08 c6 d6 5c 1c-b3 91 19 d2 9a 18 0f a0" uuid.location = "56 4d f3 08 c6 d6 5c 1c-b3 91 19 d2 9a 18 0f a0" scsi0:13.redo = "" scsi0:12.redo = "" scsi0:9.redo = "" scsi0:11.redo = "" scsi0:15.redo = "" scsi0:4.redo = "" scsi1:0.redo = "" scsi0:2.redo = "" scsi0:5.redo = "" scsi0:6.redo = "" scsi1:1.redo = "" scsi0:8.redo = "" scsi0:3.redo = "" scsi0:10.redo = "" scsi0:14.redo = "" scsi0:1.redo = "" scsi0:0.redo = "" pciBridge0.pciSlotNumber = "17" pciBridge4.pciSlotNumber = "21" pciBridge5.pciSlotNumber = "22" pciBridge6.pciSlotNumber = "23" pciBridge7.pciSlotNumber = "24" scsi0.pciSlotNumber = "16" scsi1.pciSlotNumber = "32" scsi2.pciSlotNumber = "33" ethernet0.pciSlotNumber = "160" svga.vramSize = "134217728" vmotion.checkpointFBSize = "134217728" ethernet0.generatedAddress = "00:0C:29:18:0F:A0" ethernet0.generatedAddressOffset = "0" vmci0.id = "-1709699168" monitor.phys_bits_used = "40" cleanShutdown = "FALSE" softPowerOff = "FALSE" tools.syncTime = "TRUE" ethernet0.vnet = "VMnet10" ethernet0.displayName = "VMnet10" guestInfo.detailed.data = "architecture='X86' bitness='64' distroName='VMware Photon OS' distroVersion='3.0' familyName='Linux' kernelVersion='4.19.232-4.ph3' prettyName='VMware Photon OS/Linux'" checkpoint.vmState = "" vmxstats.filename = "vCenter Server 8.0.scoreboard"  

FYI @lamw wrote a great blog post as a response to this question. It covers how to use these new features to disable shell access for ESXi users, but most importantly how to prevent 'vpxuser' from changing other ESXi users' passwords. This will come in very handy in preventing ransomware attacks from succeeding. Blog post coming up as soon as I have the time. William's blog post: https://williamlam.com/2023/01/applying-additional-security-hardening-enhancements-in-esxi-8-0.html

I'd really like to know how to do the other part of what the Docs page described: "You can also use the API or ESXCLI to prevent the vpxuser user from changing other users' passwords." I've tried to figure out which command that would do this, both by looking at esxcli commands and their methods/arguments and doing web searching to find more info on this, but I can't seem to find anything. Does anyone happen to know where I should look?

Thanks for the reminder of the feedback feature. I keep forgetting that there are actual humans reading the feedback, so it's great to get reminded of that. Now I've sent them the same question that I posted here. Regarding the new commands, I did do some digging (Googling ) and found some blog posts detailing which the new esxcli commands were, but didn't find anything there. I guess this was a new argument/switch rather than a completely new command, so thanks for the digging! Now I'm going to do some testing. I hope I'll be able to use this to make it more difficult for an attacker moving the usual route from AD->vCenter->ESXi when deploying ransomware.

You have to disable the *runtime* setting of execInstalledOnly, not the boot setting. There is a description of the difference between them here: https://www.truesec.com/hub/blog/esxi-8-0-and-execinstalledonly-the-good-the-bad-and-the-ugly Scroll down to the section called "The Ugly" and run the command listed in the screenshot to disable execInstalledOnly.  

Thanks, that helped me as well, but with a slightly different problem: vLCM was complaining about some components/drivers being newer on the hosts compared to the vLCM image. On the first couple of hosts we "solved" it by going in and downgrading the affected components, but your proposed solution was obviously better. Our error message was: "Downgrades of manually added Components Broadcom Emulex Connectivity Division lpfc driver for FC adapters(14.0.326.12-1), Broadcom Native 12Gbps SAS/PCIe MPT Driver(19.00.03.00), Broadcom Native MegaRAID SAS(7.719.02.00), Broadcom NetXtreme-E VMKAPI network and RoCE driver for VMWare ESXi(220.0.165.0-1OEM), VMware Tools Async Release(12.0.0) in the desired ESXi version are not supported." Since these had already been uploaded to the VUM database (manually, I think), I could fairly easily find them when editing my image under 'Add Components' and change the version to match the existing ones in the error message.