Archive for May, 2014

vCert Manager – Installation

May 11th, 2014 No comments

As Michael Webster pointed out on twitter vExperts have the possibility to test out the vCert Manager from VSS Labs.

After a little back and forth with Michael due to some email issues I finally received the download and test license last week.

This will be a short series on how to install the product, integrate it with a Windows CA, request, extend and replace certificates for hosts and vCenter Server components and finally see if it actually can solve my “nasty” lab in which I pretty much reproduced every customer issue that I ran into so far in one single VM.

Unlike mentioned on the VSS Labs website the tool can actually cope with vCenter Server and ESXi 5.5.

Read more…

Categories: Homelab, SSL Tags:

Patching or Upgrading ESXi fails with “insufficient memory” error

May 10th, 2014 No comments

A couple of days ago I helped out a junior Engineer who had a customer on the line whose hosts could not be scanned, patched or upgraded using Update Manager 5.5. They simply would get the following error on scanning the hosts.


The same could be seen in the recent tasks and events.



On trying to simply scan and patch the host against the default VMware delivered baslines we got the following.



The customer had already uploaded a log bundle of the ESXi and we could not see anything suspicious in the /var/log/esxupdate.log. But the vua.log had an important hint.



INFO:root:Running /sbin/esxcli system visorfs ramdisk add -M 332 -m 332 -n upgradescratch -t /upgrade_scratch -p 01777

We can see that root tries to do something, specifically creating and mounting a new ram disk. But why does that fail? The customer also could not connect to the host using putty with “Access denied” errors. In the end the solution was rather simple but seems not to be very well documented as a caveat of one of the major security features of ESXi.


At first I thought this might have been an issue with permissions on the host for vpxuser not having full root rights as it is officially documented. But taking a more careful look at the log messages Update Manager does not seem to be using the vpxuser at all but still tries to access the host using “root” which indeed is blocked from logging in when lockdown mode is enabled.

Disabling lockdown mode immediately solved the issue for the customer.



Categories: Case Post Mortems Tags: