Stateless host with lockdown mode and active directory, ESXi users left in maintenance mode
Article ID: 312110
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
When booting a stateless host with DVS and lockdown mode configured, and one or multiple active directory users in the lockdown mode exception list, post-boot fails with the below error:
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: INFO: Setting lockdown mode configuration:'QA\\s-virt-nessus-a', 'QA\\s-virt-nessus-b', 's-esxi-dcui']}^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: Ignore users () that donot exist at postboot apply.^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: ERROR: EngineModule::ApplyHostConfig. Exception: (LocalizedException) { dynamicType = <unset>, dynamicProperty = (vmodl.DynamicProperty) [], msg = <unset>, faultCause = <unset>, faultMessage = (vmodl.LocalizableMessage) [ (LocalizableMessageWithPath) { dynamicType = <unset>, dynamicProperty = (vmodl.DynamicProperty) [], key = 'com.vmware.profile.Profile.lockdownMode.In
validExceptionUser', arg = (vmodl.KeyAnyValue) [ (vmodl.KeyAnyValue) { dynamicType = <unset>, dynamicProperty = (vmodl.DynamicProperty) [], key = 'user', value = 'QA\\s-icinga-b' } ], message = 'Failed to update user accounts exempted from Lockdown Mode. Invalid user specified: QA\\s-icinga-b' } ] }^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: EngineModule::ApplyHostConfig. Backtrace: ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: File "/lib64/python3.8/site-packages/hostprofiles/tests/tools/hpcliModules/engineModule.py", line 549, in ApplyTaskList ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: File "/lib64/python3.8/site-packages/hostprofiles/pyEngine/applyConfigSpec.py", line 4722, in ApplyHostConfig ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: File "/lib64/python3.8/site-packages/hostprofiles/pyEngine/applyConfigSpec.py", line 4297, in ApplyGenericConfig ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: File "/lib64/python3.8/site-packages/hostprofiles/pyEngine/genericProfileBridge.py", line 934, in RecurseRemediateConfig ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: File "/lib64/python3.8/site-packages/hostprofiles/pyEngine/genericProfileBridge.py", line 928, in RecurseRemediateConfig ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: File "/lib64/python3.8/site-packages/hostprofiles/pyEngine/simpleConfigProfile.py", line 1027, in RemediateConfig ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: File "/usr/lib/hostprofiles/plugins/lockDownMode/lockdownModeProfile.py", line 133, in SetConfig raise CreateLocalizedException( ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: Ignore users () that donot exist at postboot apply.^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: ERROR: EngineModule::ApplyHostConfig. Exception: (LocalizedException) { dynamicType = <unset>, dynamicProperty = (vmodl.DynamicProperty) [], msg = <unset>, faultCause = <unset>, faultMessage = (vmodl.LocalizableMessage) [ (LocalizableMessageWithPath) { dynamicType = <unset>, dynamicProperty = (vmodl.DynamicProperty) [], key = 'com.vmware.profile.Profile.lockdownMode.In
validExceptionUser', arg = (vmodl.KeyAnyValue) [ (vmodl.KeyAnyValue) { dynamicType = <unset>, dynamicProperty = (vmodl.DynamicProperty) [], key = 'user', value = 'QA\\s-icinga-b' } ], message = 'Failed to update user accounts exempted from Lockdown Mode. Invalid user specified: QA\\s-icinga-b' } ] }^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: EngineModule::ApplyHostConfig. Backtrace: ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: File "/lib64/python3.8/site-packages/hostprofiles/tests/tools/hpcliModules/engineModule.py", line 549, in ApplyTaskList ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: File "/lib64/python3.8/site-packages/hostprofiles/pyEngine/applyConfigSpec.py", line 4722, in ApplyHostConfig ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: File "/lib64/python3.8/site-packages/hostprofiles/pyEngine/applyConfigSpec.py", line 4297, in ApplyGenericConfig ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: File "/lib64/python3.8/site-packages/hostprofiles/pyEngine/genericProfileBridge.py", line 934, in RecurseRemediateConfig ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: File "/lib64/python3.8/site-packages/hostprofiles/pyEngine/genericProfileBridge.py", line 928, in RecurseRemediateConfig ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: File "/lib64/python3.8/site-packages/hostprofiles/pyEngine/simpleConfigProfile.py", line 1027, in RemediateConfig ^@
2023-01-06T20:10:08Z Host Profiles[2101881 opID=MainThread]: WARNING: File "/usr/lib/hostprofiles/plugins/lockDownMode/lockdownModeProfile.py", line 133, in SetConfig raise CreateLocalizedException( ^@
Host will be left in maintenance mode.
Environment
VMware vSphere ESXi 7.0.3
VMware vSphere ESXi 7.0.2
VMware vSphere ESXi 7.0.1
VMware vSphere ESXi 7.0.2
VMware vSphere ESXi 7.0.1
Cause
For stateless hosts with DVS and active directory configuration, active directory remediation is skipped at post boot. It will be done at the DVS reapply step. When the lockdown mode exception list contains an active directory user, they cannot be recognized at post-boot. Thus, the error above happens.
The lockdown mode exception list is remediated at the DVS reapply step. Thus, after DVS reapplies, the host is compliant with the host profile.
Due to the post-boot failure, reapply operation doesn't exit maintenance mode but leaves it to the user to check the post-boot failure.
The lockdown mode exception list is remediated at the DVS reapply step. Thus, after DVS reapplies, the host is compliant with the host profile.
Due to the post-boot failure, reapply operation doesn't exit maintenance mode but leaves it to the user to check the post-boot failure.
Resolution
Currently there is no resolution.
Workaround:
The user can workaround the issue by writing a script and deploying or running it using the Auto Deploy script bundle, detecting the finish of the reapply task, and exiting maintenance mode after that. The reapply task can be found in a vpxa log similar to:
2023-01-19T20:18:35.346Z info vpxa[2101084] [Originator@6876 sub=vpxLro opID=8338616-02-bd] [VpxLRO] -- BEGIN task-2 -- HostdHostProfileManager -- vim.profile.host.profileEngine.HostProfileManager.applyHostConfig -- 52c69920-8339-a15b-6677-d2f7eac77e8a
The script waits for the finish log and exits the host from maintenance mode.
2023-01-19T20:19:07.527Z info vpxa[2101087] [Originator@6876 sub=vpxLro opID=8338616-02-bd] [VpxLRO] -- FINISH task-2
Feedback
Yes
No
Powered by
