Altaro.com » Altaro's VMware Hub and blog » Automation and Management » Manage ESXi services using PowerCLI
Jason Fenech
by in Automation and Management
Tags: , , , ,

Manage ESXi services using PowerCLI

23 Nov 2015 by Jason Fenech
8 Automation and Management
 

Managing services on ESXi, is one task you’ll find yourself doing over and over again. In today’s post, I’ll focus on the SSH service this being from experience, one that is constantly enabled and disabled. It’s worth mentioning that disabling services that are seldom used is standard security practice as is enabling critical ones on a need-to-use only basis. The aim, here, is to reduce the attack surface of a system. Indeed, restricting SSH access on ESXi is one such example, which despite being a royal pain for many, is ultimately good practice.

There are three main methods you could use to manage the SSH service on ESXi these being the DCUI, vSphere clients and PowerCLI. Let’s review them all.

 

Method 1: Direct Console User Interface (DCUI)

For illustration purposes, I’m using a nested ESXi environment. In a production environment, you probably must walk or drive to where the server is located. Alternatively, you could connect remotely via an IP based KVM switch or an IPMI card to gain access. Regardless, the steps are always the same.

  • Press F2 and log in as root. Press Enter.

Figure 1

 

  • Select Troubleshooting Options from the menu. Press Enter.

Figure 2

 

  • Select Enable SSH and press Enter to enable the service. Pressing Enter a second time will disable it.

Figure 3

 

Method 2: vSphere Client

I’m using vCenter to manage ESXi but you can similarly connect to an unmanaged ESXi host using the vSphere client.

UPDATE: Given a recent release of ESXi such as 6.5, you should be able to use the embedded host client to carry out the same task.

  • Change to Hosts and Cluster view.
  • Select the server where you want SSH enabled.
  • Select Security Profile under Software.
  • Click on Properties next to the Services list.
    Figure 4

 

  • Select SSH from the Services Properties window and click on the Options button.

Figure 5

 

  • Click Start to enable the SSH service.

Figure 6

 

Method 3: The PowerCLI way

The third  method, as you’ve probably guessed, involves PowerShell more specifically PowerCLI. The latter is a so called interface developed by VMware to make life a little bit easier for us admins when managing vSphere and other products.

Assuming you have PowerCLI installed, go ahead and open up a shell window; type powercli or click the corresponding icon. In the Example 1, I’ve connected directly to an ESXi host. You can also target vCenter Server using the same command – Connect-VIserver – when managing multiple hosts. The latter is illustrated via Example 2 listed further down.

 

Example 1: Connecting to a single ESXi host

Connect to ESXi server using the following PowerCLI statement.

Figure 7

As this is a testing environment, I don’t care much about hiding the credentials used. If you’re paranoid, however, you can always drop the User and Password parameters from the command line which instead you’ll type in the credential box that pops up when the credentials  parameters are omitted.

Figure 8

 

We then use the following one-liner to list all the running services on ESXi. We filter the results by using where. In this case,  I’ve targeted the SSH service using the TSM-SSH keyword. Finally, I pipe the result into Start-VMHostService so I can start (enable) the SSH service.

Figure 9

 

Example 2: Connecting to a vCenter Server

Suppose instead that you need to enable SSH on a number of ESXi hosts managed by vCenter Server. This is where PowerCLI really shines. We just need to loop the commands illustrated so far so we can target X number of hosts instead of one.

First, we establish a connection to the vCenter server using the same Connect-VIServer PowerCLI command.

 

Next, let’s list the managed ESXi hosts; I have 3 nested hosts in my test environment as shown next.

Putting it all together, we first enumerate all the hosts. We then pipe the list of hosts into foreach. This returns a list of enabled and running services which is filtered using the SSH keyword as before. Finally, we start the SSH service irrespective if it’s already running or not.

Note: $_ corresponds to the current object in the pipeline. This is usually followed by an object’s property name.

To stop the SSH service, simply substitute Start-VMHostService with Stop-VMHostService.  To disable confirmation, add -confirm:$false to the end of the command.

 

The following videos, illustrate each of the methods covered today.

 

That’s all there is to it, really. I think you’ll find that managing services with PowerCLI is faster and more convenient to using console or any of the vSphere clients.

Have any questions or feedback?

Leave a comment below!

Jason Fenech

An IT veteran for over 23 years, I covered various roles throughout my career. Prior to joining Altaro as a blog writer and QA tester, I was employed as an infrastructure engineer at a cloud services provider working exclusively with VMware products. The Altaro VMware blog enables me to share the experience and knowledge gained and, much to my surprise, is what got me the vExpert 2017 award. Besides being a techie and a science buff, I like to travel and play guitars. I also do some photography and love having a go at playing the occasional XBOX game, Halo being my absolute favourite. I am also a proud father of two and parent to a crazy Dachshund called Larry.


8 Comments on “Manage ESXi services using PowerCLI”

  1. Trevor

    Hello Jason, Thank you for the above information. I am wondering if there is a way to stop particular services on mulitiple vm’s across hosts using PowerCLI instead of going to each vm to stop the services.

    Reply
    1. Jason FenechJason Fenech Post author

      Hi Trevor,

      I’m assuming you’re targeting Windows boxes. You can use something like;

      get-service -ComputerName vm1,vm2, … vmn -name {service name} | stop-service

      Note that the account you’re running the command with must have sufficient privileges on the Windows boxes to be able to enumerate and stop/start services.

      If the Win boxes are joined to a domain you could always use group policy especially if you want to permanently disable specific services.

      Hope this helps.

      Jason

      Reply
    1. Jason FenechJason Fenech Post author

      Hi,

      I think you’re referring to the input i.e. the commands I’m typing in the video. You can use the Set-PSReadlineOption cmdlet to change the colour input is displayed in. For instance if you want commands displayed in cyan, you’d use Set-PSReadlineOption -TokenKind Command -ForegroundColor cyan

      Use Get-PSReadlineOption for a complete list of token and current values. That said, these settings are applied automatically if you’re using a recent PowerCLI version, so your input should be similar to that in the video.

      On a similar note, if you want to colorize say a script’s output you can use something like; write-host “text to display” -ForegroundColor white -BackgroundColor blue

      Hope this helps.

      Jason

      Reply
    1. Jason FenechJason Fenech Post author

      Hi,

      Good question. I actually had to try this out and this is the best I could come up with;

      Connect-VIServer -server x.x.x.x -user xxxxx -password xxxxx
      (Get-EsxCli).network.ip.connection.list() | where {$_.LocalAddress -like ‘*:22’ -and $_.State -eq ‘ESTABLISHED’}

      Just replace the xxxxx’s with the ip address and creds of your ESXi host.

      I tested this on a host with 2 active connections and this is the output;

      CCAlgo : newreno
      ForeignAddress : 192.168.xxx.xxx:58409
      LocalAddress : 192.168.xxx.xxx:22
      Proto : tcp
      RecvQ : 0
      SendQ : 0
      State : ESTABLISHED
      WorldID : 34423
      WorldName : busybox

      CCAlgo : newreno
      ForeignAddress : 192.168.xxx.xxx:58028
      LocalAddress : 192.168.xxx.xxx:22
      Proto : tcp
      RecvQ : 0
      SendQ : 0
      State : ESTABLISHED
      WorldID : 34423
      WorldName : busybox

      Hope this helps.

      regards

      Jason

      Reply
  4. Charu Krishan

    Hi,

    We have multiple Datacenters and Clusters in our environement and want to start/stop SSH on multiple hosts, not all. Hosts on which I want to stop/start SSH service is on different Datacenters/Clusters.

    Could you please guide how can I perform this?

    Reply
    1. Jason FenechJason Fenech Post author

      Hi,

      If you have a single vCenter instance managing the environment, get-vmhost will return a list of all the hosts in that environment. You use the list to create an array (dynamically or manually) say of those hosts on which you want SSH enabled/disabled and loop on it.

      Example:

      $hostsList = @(“192.168.1.1″,”192.168.1.2″,”192.168.1.3”)

      #Stops SSH
      foreach ($esxi in $hostslist)
      {(get-vmhostservice -VMhost $esxi | where {$_.Key -eq “TSM-SSH”}) | Stop-VMHostService -Confirm:$false}

      #Starts SSH
      foreach ($esxi in $hostslist)
      {(get-vmhostservice -VMhost $esxi | where {$_.Key -eq “TSM-SSH”}) | Start-VMHostService -Confirm:$false}

      Output should be something like this:

      Key Label Policy Running Required
      — —– —— ——- ——–
      TSM-SSH SSH on False False
      TSM-SSH SSH on False False
      TSM-SSH SSH on False False

      Hope this helps

      regards

      Jason

      Reply

Have a question or comment? We'd love to hear it!

Your email address will not be published. Required fields are marked *

XHTML: You can use these tags <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">