A bit about vpxuser

general information

Here is what everyone knows: vpxuser is the account used by vCenter to manage ESXi hosts (polling the hypervisor, submitting tasks) that are included in it. Those. the root account (ESXi) is not related to vCenter - ESXi communications (except for the nuance that you need it to enable ESXi in vCenter).

Vpxuser has administrator privileges for ESXi. Thus, the vCenter administrator can perform almost all of the same host manipulations as root (ESXi), except for creating / deleting / changing local users and groups of the ESXi host itself .
You cannot manage a vpxuser account using the AD directory service.

The vpxuser password is stored in encrypted form both on ESXi and in the vCenter database (logical, isn't it?) And for each ESXi this password is unique.

Connect to ESXi with VPXUSER

In some sources, I saw statements like this: "Knowing the password from vpxuser will not give you anything, using this combination to connect to the host and any other goals is impossible." However, knowing the vpxuser password, you can connect to and manage ESXi (tested on Standalone ESXi 5.5 u1 and on ESXi 5.5 u1 running vCenter 5.5, and not only on them).


On the other hand, you can’t find out the vpxuser password (at least I haven’t found a way), so you can connect this way only by changing the vpxuser password, but you don’t need to do this (read on).

Change VPXUSER Password

You can find a warning in the documentation, which in the free (my) translation looks like this:

ATTENTION: do the manipulations with the vpxuser account at your own risk, this may lead to a disruption of the vCenter - ESXi connection. When lockdown mode is enabled on the host, host control may be lost permanently.

It really is. Having tested in the laboratory, I can say that after changing the vpxuser password to ESXi, vCenter loses contact with it. BUTnot right away. In my case, this happened after 18-20 hours. The most interesting thing is that after changing the vpxuser password on ESXi, I immediately rebooted the vCenter Service (but not the machine on which this service is deployed), i.e. the established session was supposed to drop, and credentials that were hypothetically in the cache (or maybe not, or maybe not in the cache) should have been cleared. But that did not happen. Those. VMware support did not comment on this behavior, saying that it does not answer questions about the architectural features of the platform.

Another thing is also interesting: later in this article there is information about the vpxuser password policy, and by default its password length is 32 characters. If you change his password manually on ESXi, for example using “passwd”, you can set a password much shorter. Apparently, this is due to the fact that the password policy is supported by vCenter, and since vpxuser password is also changed by vCenter, then, as the saying goes, “I am fun and funny myself with my funny face.” Those. you can change the password, and you can set it to the non-conforming policy, but the connection with ESXi will be lost in the end.

Loss of connection is quite logical, because when manually changing the password vpxuser, its password in the vCenter database does not change.

Conclusion: do not change the password on vpxuser yourself, let vCenter do this.If you change your vpxuser password by hand, then with a probability of 99%, sooner or later vCenter will lose connection with ESXi. I leave 1% for magical intervention.

Troubleshooting

If, nevertheless, changes were made to vpxuser (for example, the password was changed) and this caused ESXi to be unavailable from vCenter (usually accompanied by an error: " Call" ServiceInstance.RetrieveContent "for object" ServiceInstance "on Server" ip_address "failed "), then proceed as follows (if lockdown mode is not enabled and there is access to the host via SSH):

For releases 3.x and 4.x - kb.vmware.com/kb/1005759 . In short:

1. RMB on the host in vSphere Client, disconnect (unless, of course, the host is already in this state). DO NOT REMOVE the host from vCenter.
2. Connect via SSH to the host and execute: “ userdel vpxuser ”.
3. RMB on the host and select “Connect”. Ignore all possible authentication errors.
4. Enter the required root username and password. The vpxuser account will be recreated.

For releases 5.x and 6.x, the procedure is the same with the exception of paragraph 2 (i.e., you do not need to remove vpxuser).

Here it is worth paying attention to the phrase "if lockdown mode is not enabled". If vpxuser password has been changed and vCenter has lost connection with ESXi and lockdown mode is on, i.e. access to the ESXi host is denied to everyone except vCenter, then the official position of VMware in this regard is unambiguous: "reinstall ESXi."

Password Policy for vpxuser

Password expiration time

By default, the vpxuser password is updated every 30 days, but this can be changed:

1. In vSphere Client → Administration.
2. vCenter Server Settings ... → Advanced Settings.
3. Select the VirtualCenter.VimPasswordExpirationInDays parameter , set the desired value.
4. Restart the vCenter service.


VMware does not recommend changing this setting. VMware generally doesn’t recommend doing anything, it’s harmful to live, they die from it.

Password complexity

The vpxuser password consists of 32 characters, and contains at least 1 character from the groups: special characters ({~ @ - {}, etc.), numbers (1-9), capital letters (Latin) and lowercase letters (Latin).
The documentation states that to change the vpxuser password length, you can change the value of the vpxd.hostPasswordLength parameter in the configuration file to vCenter:

• Linux (VCSA) - /etc/vmware-vpx/vpxd.cfg;
• Windows - C: \ ProgramData \ VMware \ VMware VirtualCenter \ vpxd.cfg;

The vpxd.hostPasswordLength parameter is not in the config; it needs to be added there. Here is a piece of the config with this parameter, where you can see the place where to stick it:

< vmacore >
........
< vpxd >
< filterOverheadLimitIssues >true< /filterOverheadLimitIssues >
< hostPasswordLength >32< /hostPasswordLength >
< network >
< rollback >true< /rollback >
< /network >
........
< /vpxd>

Those. inside vpxd, but not inside any other nested tag.

Conclusion: why change the password policy for vpxuser at all? No reason, VMware does not recommend doing such nonsense.

In different releases

Here's what's interesting: in the early vSphere releases, the vpxuser user on Standalone ESXi did not exist (before the host was included in vCenter). This is evidenced by the article kb.vmware.com/kb/1005759 : The vpxuser account is created by VirtualCenter when an ESX host is added. Do not manipulate this account. Also checked manually - on Standalone ESXi 4.1 it really is not. It was suspected that this user in 4.1 is called vimuser (because the password expiration time of vpxuser is controlled by the VirtualCenter parameter. VimPasswordExpirationInDays), and vimuser in ESXi 4.1 is just predefined, but when ESXi 4.1 is enabled in vCenter, vpxuser is actually created on the host and is NOT deleted after the host is removed from vCenter. However, kb1005759 is for releases 4.x and earlier. In recent releases (in 5.5 and 6 for sure) vpxuser exists immediately after the deployment of ESXi. Apparently, this account is not used until the host is included in vCenter. I could not find any specific information about this nuance, but the ap user (Guru, vExpert) also believes that this account is not used . In addition, I changed the password for vpxuser to Standalone ESXi, and did not notice any consequences (for example, loss of access via SSH, vSphere Client).

There must be some conclusion

The conclusion regarding vpxuser is extremely simple - this is one of those things that you shouldn’t tune under almost any circumstances. The post is intended only to tell a little more about this account, about its presence in various releases and about myths, such as the fact that it cannot be used for direct connection to ESXi.