This week we had a special request from an internal project where they need to run the esxtop and check some statistics performance from VMs / host CPU, memory etc.
This was a “problem” for us. For security reasons, we do not provide root access to our ESXi hosts. To run esxtop, we need root access to the ESXi host shell console. We needed to find a solution to provide this without changing the way of working of our Datacenters.
There are some 3rd party tools that you can use, without the need to access the ESXi host shell console (using ssh). Usually, these type of tools needs root permissions.
To find a solution for a read-only user (or minimum non-root), first is to identify what are the permissions that a user needs to access the esxtop.
I found a good article from William Lam regarding this esxtop and user permissions.
You need to create a role (in the ESXi hosts) with these permissions: Global – Service Managers
You need to ensure that you create the same user in all ESXi hosts and associate the user with this role created in the previous step.
After you have your user and roles created in all ESXi hosts, you can now start to test some of the tools.
The tools that I tested are:
Option 1: visualextop
You can download and read about this Fling tool in VMware labs: https://labs.vmware.com/flings/visualesxtop
This tool runs a java application locally on your laptop or server, and you can check your esxtop statistics like in the Windows Performance Monitor (perfmon).
Just run the tool (the vtop.bat file) and add your ESXi host credentials (for read-only users, use the user created in the previous step).
I think this is a useful tool. The only problem is that doesn’t display VMs names, only World ID. World ID is an ID set in the ESXi host process for running VMs. For a user to identify which VM belongs to, it needs to login to ESXi shell console and checks VMs and their World ID (using esxcli vm process list command you get VMs World ID), or you can create a small PowerCli script to provide that list.
In the second tool, you do not need to use a read-only user since you can run the tool in the vSphere Web Client directly.
Option 2: ESXtopNGC
You can download and read about this Fling tool in VMware labs: https://labs.vmware.com/flings/esxtopngc-plugin
Note: This tool is only supported for vCenter 5.5 and above (I only tested in 5.5 and 6.0).
This tool is installed in the vCenter Web Client (for VCSA and Windows vCenter).
- vCenter Appliance
First, you need to upload the files to the vCenter Appliance (VCSA) /root. You can use a tool like WinSCP to upload files into your VCSA.
Note: When you try to connect to your VCSA using WinSCP you could get a message similar to this one:
##Connect to your VCSA shell console, if bash shell is not enabled, you need to enable.
Using username "root".
VMware vCenter Server Appliance 126.96.36.19900
Type: vCenter Server with an embedded Platform Services Controller
Last login: Sun Mar 5 15:26:58 2017 from unknown705a0f80b103.domain_not_set.invalid
Connected to service
* List APIs: "help api list"
* List Plugins: "help pi list"
* Enable BASH access: "shell.set --enabled True"
* Launch BASH: "shell"
Command> shell.set --enable True
---------- !!!! WARNING WARNING WARNING !!!! ----------
Your use of "pi shell" has been logged!
The "pi shell" is intended for advanced troubleshooting operations and while
supported in this release, is a deprecated interface, and may be removed in a
future version of the product. For alternative commands, exit the "pi shell"
and run the "help" command.
The "pi shell" command launches a root bash shell. Commands within the shell
are not audited, and improper use of this command can severely harm the
Help us improve the product! If your scenario requires "pi shell," please
submit a Service Request, or post your scenario to the
https://communities.vmware.com/community/vmtn/vcenter/vc forum and add
In the VCSA Bash shell, run this command to change the default shell to Bash: chsh -s /bin/bash root
nested-vcenter-06:~ # chsh -s /bin/bash root
Changing login shell for root.
After you should be able to connect to VCSA and upload the plugin file to /root
##unzip the file ESXtopNGCPlugin-01.zip
Run the following commands:
nested-vcenter-06:/ # unzip ESXtopNGCPlugin-01.zip -d /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin
nested-vcenter-06:/ # chmod -R 777 /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/
<strong>## restart vSphere Client</strong>
nested-vcenter-06:/ # etc/init.d/vsphere-client restart
Last login: Sun Mar 5 10:53:13 UTC 2017 on console
Stopping VMware vSphere Web Client...
Stopped VMware vSphere Web Client.
Starting VMware vSphere Web Client...
Waiting for VMware vSphere Web Client......
<strong>## To return to the Appliance Shell, run this command:</strong>
nested-vcenter-06:/ # chsh -s /bin/appliancesh root
Changing login shell for root.
After the plugin installation is finished for VCSA.
- Windows vCenter
Download the file ESXtopNGCPlugin-01.zip and unzip this file into the plugin-packages folder in your Windows vCenter Server.
Depending your Windows version, browse to C:\Program Files\VMware\Infrastructure\vSphereWebClient\plugin-packages or C:\Program Files\VMware\vCenter Server\WebClient\plugin-packages
After restart your vSphere Web Client service
Now let’s check the ESXtop plugin. Login to your vCenter with vSphere Web Client.
If you get:
The vSphere Client web server is initializing
The vSphere Client web server is still initializing. Please try again shortly.
VMware vSphere Documentation and Support
Wait 1 or 2 minutes, Web Client is still restarting.
After successful login: Select Hosts and Clusters select one ESXi host click Monitor tab and then you should see the plugin tab with the name TOP.
As you can see in the above image, the plugin has all the options from the esxtop. You can export the data by clicking the button “Start exporting stats”, and you can change the refresh rate clicking on the button “Set Refresh Rate”. The default is 15 seconds.
Important note: Some users complain that after installing this plugin, the VDP plugin disappears, or stop working (or even other plugins). Using Windows vCenter 6.0 and VCSA, I was not able to test this scenario, so test this plugin in a non-Production environment before you install this in Production vCenters.
Last option to use a user without the need to root access to our ESXi hosts shell console to use esxtop.
Option 3 (this was the option I used for our Project request): Create a user in ESXi host with admin permissions
Note: This solution needs to be applied to all ESXi hosts you want to give access to ESXTOP.
First, you need to login to ESXi host and create the user:
Click users tab and click the right mouse button and select add.
- Add login name and user name (optional).
- Add and confirm user password (ESXi uses complex passwords).
Note: If you get “User name or password has an invalid format”, please check
- Weak password: not enough different characters or classes.
- Weak password: too short.
- Weak password: based on a dictionary word and not a passphrase.
- User name or password has an invalid format
- The user name can be invalid if it contains a special character.
- The password can be invalid if it does not contain a letter, a number, and a special character.
After you create the user, you will see the user in the ESXi host user list.
Next click on the Permissions tab.
Again, click the right mouse button and select add option.
Now let’s add administrator permissions to the user you created above.
Add the user to the administrator permissions.
Now you have the user with administrator permissions.
After you have the user with the proper permissions, you now need to login to the ESXi host shell console with that user and change the user shell to only run esxtop for this specific user.
Shell user is in /etc/passwd file, so you need to change this file.
The default is esxtop:x:1000:1000:esxtop:/:/bin/sh and you need to change to esxtop:x:1000:1000:esxtop:/:/bin/esxtop
[fusion_builder_container hundred_percent="yes" overflow="visible"][fusion_builder_row][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"][esxtop@DL360-ESXi03:~] vi /etc/passwd
nfsnobody:x:65534:65534:Anonymous NFS User:/:/sbin/nologin
vpxuser:x:500:100:VMware VirtualCenter administration account:/:/bin/sh
Now every time this user esxtop log in to the ESXi host using ssh automatically the ESXTOP will run. The user can now work with the tool with all permissions, but after exit, the ESXTOP ESXi host shell console will close. Therefore this user will never have direct access to the shell console itself.
Hope this information was useful.
Note: Share this article, if you think it is worth sharing.