Enabling services and setting security profiles
ESXi hosts enable a few services by default, but there are some additional services that are installed but blocked. In some cases, you might want to enable SSH on the host. However, since VMware does not recommend enabling SSH and will display a warning. You can set an advanced setting to disable this warning.
Getting ready
To begin with, you should open a PowerCLI prompt and connect to an ESXi or vCenter host. You will also want to store a VMHost object in a variable named $esxihost.
How to do it…
- The first step is to get the list of available services from a VMware host. To do this, you use the
Get-VMHostServicecmdlet and pass theVMHostobject into the cmdlet as follows:$esxihost | Get-VMHostService
- The output of the preceding cmdlet will display a list of the available services on the ESXi host along with its policy (whether it is set on or off by default) if it's running. The label is a friendly identifier to find the service you want to configure, but the key is the piece of data you will use to return the single service you want.
- In this case, we're looking to configure the service with the
TSM-SSHkey. To scope the results down to that one service in the object, you will use a PowerShellwhereclause as follows:$esxihost | Get-VMHostService | where { $_.key -eq "TSM-SSH" }
- Now that you have it scoped down to a single service, you pass this object into the
Set-VMHostServicecmdlet with the desired policy ofOnas follows:$esxihost | Get-VMHostService | where { $_.key -eq "TSM-SSH" } | Set-VMHostService -Policy "On"
- At this point, you have configured the host to autostart the service on boot, but the service is still not running in the current boot. To do this, you will instead use the
Start-VMHostServicecmdlet. Again, you have to pass in theVMHostServiceobject for SSH (or any other service that you choose).$esxihost | Get-VMHostService | where { $_.key -eq "TSM-SSH" } | Start-VMHostService
- With the service running, vSphere displays the warning that you have enabled SSH. This will leave your host showing in a warning state as long as the service is running; however, VMware does allow you to suppress this warning, but this is set through an advanced setting. To set this, you need to execute the following cmdlet:
$esxihost | Get-AdvancedSetting –Name UserVars.SuppressShellWarning | Set-AdvancedSetting –value 1 - When executed, the preceding command line will prompt you to confirm the settings. This confirmation can be suppressed using the
–Confirm:$falsecommon parameter, which is useful in scripts:$esxihost | Get-AdvancedSetting –Name UserVars.SuppressShellWarning | Set-AdvancedSetting –value 1 –Confirm:$false
How it works…
For configuring host services, the native cmdlets follow the expected pattern of Get and Set functionality in PowerCLI. Get-VMHostService expects a VMHost object as the input which is logical since these host services exist within the scope of a host. Once you get the host service by name and store it in a variable or pass it as an object in the pipeline, you can easily set the settings to the desired configuration. In addition to Get and Set cmdlets, you also have Start and Stop cmdlets. The Start and Stop cmdlets are more specific to this use case since we're dealing with host services and there is a specific need to start or stop them in addition to configuring them. The Start and Stop cmdlets also accept the HostService objects as inputs, just like the Set-VMHostService cmdlet.
In the specific use case of the SSH Server service, it causes a warning to be displayed to the client. To disable this warning from been displayed, you can use an advanced setting named UserVars.SupressShellWarning. While this is not recommended for production systems, there are plenty of use cases where SSH is needed and is helpful in lab environments, where you might want to configure the setting.
There's more…
The cmdlet to start the SSH service can be easily adapted beyond the illustrated use case with the use of a ForEach loop. For troubleshooting and configuration, you might need to enable SSH in order to tail a log file or to install a custom module. In these cases, starting SSH in bulk might be handy. To do this, you take the preceding code and wrap it in the loop. An example of a connection to a vCenter host, a variable with multiple VMHost objects returned, and a loop to step through and start SSH on each is shown as follows:
Connect-VIServer vcenterhost.domain.local $esxihosts = Get-VMHost foreach ($esxihost in $esxihosts) { $esxihost | Get-VMHostService | where { $_.key -eq "TSM-SSH" } | Start-VMHostService }
This quickly allows you to turn on SSH for temporary use. Following a reboot, the service will no longer be running and you can easily change the preceding code to be a Stop-VMHostService cmdlet and turn off the service in bulk.
