ESXTOP access with read-only account

//ESXTOP access with read-only account

ESXTOP access with read-only account

This week we had a special request from an internal project where they need to run the esxtop and check some statistics performance from VMs / host CPU, memory etc.

This was a “problem” for us. For security reasons, we do not provide root access to our ESXi hosts. To run esxtop, we need root access to the ESXi host shell console. We needed to find a solution to provide this without changing the way of working of our Datacenters.

There are some 3rd party tools that you can use, without the need to access the ESXi host shell console (using ssh). Usually, these type of tools needs root permissions.

To find a solution for a read-only user (or minimum non-root), first is to identify what are the permissions that a user needs to access the esxtop.

I found a good article from William Lam regarding this esxtop and user permissions.

You need to create a role (in the ESXi hosts) with these permissions: Global – Service Managers

ESXTOP access with read-only account

You need to ensure that you create the same user in all ESXi hosts and associate the user with this role created in the previous step.

After you have your user and roles created in all ESXi hosts, you can now start to test some of the tools.

The tools that I tested are:

Option 1: visualextop

You can download and read about this Fling tool in VMware labs: https://labs.vmware.com/flings/visualesxtop

This tool runs a java application locally on your laptop or server, and you can check your esxtop statistics like in the Windows Performance Monitor (perfmon).

Just run the tool (the vtop.bat file) and add your ESXi host credentials (for read-only users, use the user created in the previous step).

ESXTOP access with read-only account

ESXTOP access with read-only account

I think this is a useful tool. The only problem is that doesn’t display VMs names, only World ID. World ID is an ID set in the ESXi host process for running VMs. For a user to identify which VM belongs to, it needs to login to ESXi shell console and checks VMs and their World ID (using esxcli vm process list command you get VMs World ID), or you can create a small PowerCli script to provide that list.

In the second tool, you do not need to use a read-only user since you can run the tool in the vSphere Web Client directly.

Option 2: ESXtopNGC

You can download and read about this Fling tool in VMware labs: https://labs.vmware.com/flings/esxtopngc-plugin

Note: This tool is only supported for vCenter 5.5 and above (I only tested in 5.5 and 6.0).

This tool is installed in the vCenter Web Client (for VCSA and Windows vCenter).

  • vCenter Appliance

First, you need to upload the files to the vCenter Appliance (VCSA) /root. You can use a tool like WinSCP to upload files into your VCSA.

Note: When you try to connect to your VCSA using WinSCP you could get a message similar to this one:

ESXTOP access with read-only account

##Connect to your VCSA shell console,  if bash shell is not enabled, you need to enable.

In the VCSA Bash shell, run this command to change the default shell to Bash: chsh -s /bin/bash root

After you should be able to connect to VCSA and upload the plugin file to /root

##unzip the file ESXtopNGCPlugin-01.zip

Run the following commands:

After the plugin installation is finished for VCSA.

  • Windows vCenter

Download the file ESXtopNGCPlugin-01.zip and unzip this file into the plugin-packages folder in your Windows vCenter Server.

Depending your Windows version, browse to C:\Program Files\VMware\Infrastructure\vSphereWebClient\plugin-packages or C:\Program Files\VMware\vCenter Server\WebClient\plugin-packages

After restart your vSphere Web Client service

ESXTOP access with read-only account

Now let’s check the ESXtop plugin. Login to your vCenter with vSphere Web Client.

If you get:

The vSphere Client web server is initializing
The vSphere Client web server is still initializing. Please try again shortly.
VMware vSphere Documentation and Support

Wait 1 or 2 minutes, Web Client is still restarting.

After successful login: Select Hosts and Clusters select one ESXi host click Monitor tab and then you should see the plugin tab with the name TOP.

ESXTOP access with read-only account

As you can see in the above image, the plugin has all the options from the esxtop. You can export the data by clicking the button “Start exporting stats”, and you can change the refresh rate clicking on the button “Set Refresh Rate”. The default is 15 seconds.

Important note: Some users complain that after installing this plugin, the VDP plugin disappears, or stop working (or even other plugins). Using Windows vCenter 6.0 and VCSA, I was not able to test this scenario, so test this plugin in a non-Production environment before you install this in Production vCenters.

Last option to use a user without the need to root access to our ESXi hosts shell console to use esxtop.

Option 3 (this was the option I used for our Project request): Create a user in ESXi host with admin permissions

Note: This solution needs to be applied to all ESXi hosts you want to give access to ESXTOP.

First, you need to login to ESXi host and create the user:

Click users tab and click the right mouse button and select add.

ESXTOP access with read-only account

  1. Add login name and user name (optional).
  2. Add and confirm user password (ESXi uses complex passwords).

Note: If you get “User name or password has an invalid format”, please check

  • Weak password: not enough different characters or classes.
  • Weak password: too short.
  • Weak password: based on a dictionary word and not a passphrase.
  • User name or password has an invalid format
  • Notes:
    • The user name can be invalid if it contains a special character.
    • The password can be invalid if it does not contain a letter, a number, and a special character.

ESXTOP access with read-only account

After you create the user, you will see the user in the ESXi host user list.

ESXTOP access with read-only account

Next click on the Permissions tab.

Again, click the right mouse button and select add option.

ESXTOP access with read-only account

Now let’s add administrator permissions to the user you created above.

ESXTOP access with read-only account

Add the user to the administrator permissions.

ESXTOP access with read-only account

ESXTOP access with read-only account

Now you have the user with administrator permissions.

ESXTOP access with read-only account

After you have the user with the proper permissions, you now need to login to the ESXi host shell console with that user and change the user shell to only run esxtop for this specific user.

Shell user is in /etc/passwd file, so you need to change this file.

The default is esxtop:x:1000:1000:esxtop:/:/bin/sh and you need to change to esxtop:x:1000:1000:esxtop:/:/bin/esxtop

Now every time this user esxtop log in to the ESXi host using ssh automatically the ESXTOP will run. The user can now work with the tool with all permissions, but after exit, the ESXTOP ESXi host shell console will close. Therefore this user will never have direct access to the shell console itself.

Hope this information was useful.

Note: Share this article, if you think it is worth sharing.

©2017 ProVirtualzone. All Rights Reserved
By | 2018-11-26T13:25:26+02:00 March 14th, 2017|Virtualization|0 Comments

About the Author:

I am over 20 years’ experience in the IT industry. Working with Virtualization for more than 10 years (mainly VMware). I am an MCP, VCP6.5-DCV, VMware vSAN Specialist, Veeam Vanguard 2018/2019, vExpert vSAN 2018/2019 and vExpert for the last 4 years. Specialties are Virtualization, Storage, and Virtual Backups. I am working for Elits a Swedish consulting company and allocated to a Swedish multinational networking and telecommunications company as a Teach Lead and acting as a Senior ICT Infrastructure Engineer. I am a blogger and owner of the blog ProVirtualzone.com

Leave a Reply

%d bloggers like this: