As in many datacenters, we use monitoring software to control many parameters of our infrastructure. Thanks to CIM, is it possible to use directly these APIs to monitor hardware and health status of the ESXi servers, rather than using script and agents to accomplish the same results.
Nagios has some cool plugins to use CIM and monitor ESXi, but the problem was to correctly configure the credentials needed for accessing CIM. I found out William Lam had already digged into this problem, and his results are in this great blog post.
Anyway, since my comfort zone is in PowerShell code rather than Perl and Python, I used his findings to recreate the same script.
The goal, in both methods, is to create a user who only has the minimum privileges needed to read CIM data, so we can have a secure environment. In fact, by default ESXi has only these local Roles available:
PS C:\> Get-VIRole Name IsSystem ---- -------- NoAccess True Anonymous True View True ReadOnly True Admin True
If you try to create a nagios user, it will need this specific privilege:
So, we will need to create a new role having only this privilege, so to limit interaction to nagios user to a bare minimum. In William’s script, the privilege was called by its id, while on powershell you need to use its name. You can see the name in the roles management as in the above screenshot, or check the name directly via powershell (Get-VIPrivilege without arguments gives you the complete list):
PS C:\> Get-VIPrivilege -Id Host.Cim.CimInteraction Name Id ---- -- CIM interaction Host.Cim.CimInteraction
Also, as Williaw discovered, the user will need to be part of the root group. So, to somehow limit this user, the script will give it no shell access.
This is the complete PowerShell script. With a simple For cycle you can load a list of ESXi servers and configure them all at once.
## As usual, load needed PowerCLI cmdlets asnp VMware.VimAutomation.Core -ErrorAction SilentlyContinue # Define the ESXi server $server = "server.domain.local" #Connect to ESXi server Connect-VIServer -Server $server -user root -password password #Create a new role CIM, with the only needed privilege assigned to it New-VIRole -Name CIM -Privilege "CIM interaction" #Create the nagios account, assign it to root group, and deny it shell access New-VMHostAccount -Id nagios -Description "nagios" -Password "password" -AssignGroups root -GrantShellAccess:$false #Assign the role CIM to the newly created nagios account New-VIPermission -Entity $server -Principal nagios -Role CIM #Disconnect from ESXi server Disconnect-VIServer -Server $server -Confirm:$false