Wednesday, December 30, 2009

fence_vmware and the root user

When using the fence_vmware agent to manage a VMware guest via VMWare ESX, be aware that the root user cannot be used for the ssh session to the ESX node (the '-l' argument for fence_vmware). A separate user should be created on the ESX node for the purpose of allowing ssh access for the fence_vmware agent. (Note though that it is safe to use the root user for within the VMware Service console -- the '-L' argument for fence_vmware).

Though may possible to manually launch an ssh session to the ESX node from the command-line, the fence_vmware agent isn't able to do so due to programmatic restriction in the fencing framework. (The reason is that the fencing framework expects a particular format for the shell prompt following login, which the root user's shell does not use.)

One may argue that remotely logging in as the root user is not a good idea to begin with; as such the fencing framework may have been intentionally designed with this restriction in mind. However there may be cases where practicality prevails, such as when setting up a closed test environment.

I did not find this restriction documented anywhere, and only discovered it after debugging the python scripts contained in the fencing framework. It is briefly mentioned here that "ssh is not allowed for user root"; however this is misleading in that it does not explain that the limitation is within the fencing framework and not with ssh itself. (Those of you familiar with ssh server administration may be aware that there is an item in the ssh config file to allow/deny remote access to the root user.)

While on the subject, kudos to the people behind this VMWare fencing documentation. Though I make a small clarification to their work in the previous paragraph, this guide is quite helpful in explaining the methods by which to fence a VMware guest.

No comments: