Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products

Dell VxRail: ESXi SSH is left enabled on primary VxRail node after nightly advisory report on 7.0.45x

Summary: ESXi SSH is left enabled on primary VxRail node after nightly advisory report on 7.0.45x.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.

Symptoms

This knowledge article is for customers who have security concerns if SSH service is in an enabled state on ESXi. It is possible that the nightly VxRail advisory report check is leaving SSH in an enabled state on the primary VxRail node.
This is seen when health check sub modules are temporarily enabling TSM-SSH on the ESXi nodes simultaneously.

The health check sub component "Radar" (part of the VxRail health-checks, pre-checks and ADC) has multiple modules that are part of its automation.
The modules in question are "vsan_disk_utilization_check" and "VxVerify" that are conflicting with each other.

Example log snippet on enabling SSH for module "vsan_disk_utilization_check":
Radar.log from VxRail Manager:
2023-06-22 00:20:52,403.403Z INFO [vsan_disk_utilization_check] Running cmd on: hst011.cwf.fr > esxcli vsan health cluster get --test=diskspace|grep % [remote_utils.py:114]

shell.log from primary VxRail node:
2023-06-21T00:20:53.214Z SSH[6061650]: SSH login enabled

An example log snippet on detecting the SSH status on all nodes for VxVerify to revert its SSH status when finished:
VxVerify vxv.log from the VxRail Manager:
2023-06-22 00:20:59-INFO     [host_ssh_check] SSH status for node01.domain.tld is initially enabled

Example log snippet on disabling SSH for module "vsan_disk_utilization_check"
Radar.log from VxRail Manager:
2023-06-22 00:21:35,582.582Z INFO [vsan_disk_utilization_check] Host hst011.cwf.fr ran cmd. Response: b'59.53% (145196.93GB of 243916.11GB)     green      170741.28                  219524.50                \n',b'Could not create directory \'/home/tcserver/.ssh\'.\r\nload pubkey "/home/tcserver/.ssh/id_

shell.log from primary VxRail node:
2023-06-21T00:21:36.870Z SSH[6061853]: SSH login disabled

Cause

The two modules "vsan_disk_utilization_check" and "VxVerify" are running in parallel from each other.
In the process of enabling SSH, run the command and then disabling SSH for "vsan_disk_utilization_check" it would have already detected in VxVerify (before disabling SSH from vsan_disk_utilization_check) that the primary VxRail node has its SSH enabled.
At the end of the VxVerify, it tries to restore or leave the ssh in an enabled state. That was the state of the SSH service at the start of VxVerify.

Resolution

There are two ways of resolving this problem: One is to change the configuration to disable the "vsan_disk_utilization_check", and the other is to upgrade the ADC to the fixed version.


Resolution 1:
Disable "vsan_disk_utilization_check" from the radar advisory report YAML file to exclude this check from running and creating this SSH enabled or disabled conflict.

Commands to disable and validate the "vsan_disk_utilization_check" disabled state:
su to root
vxrm0:/mystic/radar # cd /mystic/radar
vxrm0:/mystic/radar # grep -i vsan_disk_utilization_check /mystic/radar/conf/profile/advisory-report.yml
    - vsan_disk_utilization_check
vxrm0:/mystic/radar # cp /mystic/radar/conf/profile/advisory-report.yml /home/mystic/advisory-report.bckup
vxrm0:/mystic/radar # sed -i 's/^\( *\)- vsan_disk_utilization_check/#    - vsan_disk_utilization_check/' /mystic/radar/conf/profile/advisory-report.yml
vxrm0:/mystic/radar # grep -i vsan_disk_utilization_check /mystic/radar/conf/profile/advisory-report.yml
#   - vsan_disk_utilization_check


Disable and validate disabled state for ESXi TSM-SSH on all nodes.

Wait for the overnight VxRail "Advisory Report" to run and validate if the SSH is left in an SSH disabled state.

You may need to reapply this resolution again since /mystic/radar/conf/profile/advisory-report.yml will be reverted during ADC update. 


Resolution 2:

Refer to KB# https://www.dell.com/support/kbdoc/000019890 to upgrade the ADC to 1.5.331 (Radar version 1.0.830) or later version to fix this issue.

Affected Products

VxRail, VxRail Appliance Series, VxRail Software
Article Properties
Article Number: 000216270
Article Type: Solution
Last Modified: 02 Aug 2024
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.