Scenarios where the ESXi Service Account is missing after bringup is resolved in VCF 4.3.
For other scenarios, please review the workaround section for steps to unblock.
Workaround:
To work around this issue:
Note: For VCF 5.1, please use the full path /usr/pgsql/13/bin/psql to invoke the psql command.Scenario 1: If the issue is observed after Bringup is completed
- SSH on SDDC Manager
- Run the below command to fetch the esxi-id
- On SDDC Manager, create /tmp/in.json with the following content:
Note: The list should contain an entry for each missing ESXi service accounts. For example: below list contains details for two accounts.
[
{
"username":"svc-vcf-<esxi-shortname>",
"roleName":"Admin",
"resourceType":"ESXI",
"resourceId":"<esxi-id>"
},
{
"username":"svc-vcf-<esxi-shortname>",
"roleName":"Admin",
"resourceType":"ESXI",
"resourceId":"<esxi-id>"
}
]
- For each missing ESXi service account in SDDC Manager, remove the local ESXi user:
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@<esxi-FQDN> "esxcli system account remove -i svc-vcf-<esxi-shortname>"
- Generate API token:
curl -X POST -H "Content-Type: application/json" -d '{"username": "<SSO-username>","password": "<SSO-password>"}' --insecure https://<sddc-manager-address>/v1/tokens | json_pp
Example:
Token Generation API Response:
{ "accessToken": "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJhZmI2MjNkZS1kZjIwLTQ1NWEtOWQ3NC1mYzgwZmFjNzM5ZGUiLCJpYXQiOjE1ODIxOTcxODcsInN1YiI6InZjZi1zZWN1cmUtdXNlckB2c3BoZXJlLmxvY2FsIiwiaXNzIjoidmNmLWF1dGgiLCJhdWQiOiJzZGRjLXNlcnZpY2VzIiwibmJmIjoxNTgyMTk3MTg3LCJleHAiOjE1ODIyMDA3ODcsInVzZXIiOiJ2Y2Ytc2VjdXJlLXVzZXJAdnNwaGVyZS5sb2NhbCIsIm5hbWUiOiJ2Y2Ytc2VjdXJlLXVzZXJAdnNwaGVyZS5sb2NhbCIsInNjb3BlIjpbIkJBQ0tVUF9DT05GSUdfUkVBRCIsIkNSRURFTlRJQUxfUkVBRCIsIlVTRVJfV1JJVEUiLCJPVEhFUl9XUklURSIsIkJBQ0tVUF9DT05GSUdfV1JJVEUiLCJPVEhFUl9SRUFEIiwiVVNFUl9SRUFEIiwiQ1JFREVOVElBTF9XUklURSJdfQ._92IFJCQsbRbAWd4PQmBDczWXtuVCWPOsL1ZyCdKEMU", "refreshToken": { "id": "3c6b3c30-3bf2-480b-9539-8483699ab928" } }
In the above example we would replace the <API-TOKEN> in the following steps with just the following information:
eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJhZmI2MjNkZS1kZjIwLTQ1NWEtOWQ3NC1mYzgwZmFjNzM5ZGUiLCJpYXQiOjE1ODIxOTcxODcsInN1YiI6InZjZi1zZWN1cmUtdXNlckB2c3BoZXJlLmxvY2FsIiwiaXNzIjoidmNmLWF1dGgiLCJhdWQiOiJzZGRjLXNlcnZpY2VzIiwibmJmIjoxNTgyMTk3MTg3LCJleHAiOjE1ODIyMDA3ODcsInVzZXIiOiJ2Y2Ytc2VjdXJlLXVzZXJAdnNwaGVyZS5sb2NhbCIsIm5hbWUiOiJ2Y2Ytc2VjdXJlLXVzZXJAdnNwaGVyZS5sb2NhbCIsInNjb3BlIjpbIkJBQ0tVUF9DT05GSUdfUkVBRCIsIkNSRURFTlRJQUxfUkVBRCIsIlVTRVJfV1JJVEUiLCJPVEhFUl9XUklURSIsIkJBQ0tVUF9DT05GSUdfV1JJVEUiLCJPVEhFUl9SRUFEIiwiVVNFUl9SRUFEIiwiQ1JFREVOVElBTF9XUklURSJdfQ._92IFJCQsbRbAWd4PQmBDczWXtuVCWPOsL1ZyCdKEMU
- Create the ESXi service account/s
curl -X POST https://<sddc-manager-address>/v1/service-accounts -d @/tmp/in.json --insecure -H "Content-Type: application/json" -H "Authorization: Bearer <API-TOKEN>"
Response:
{"id":"<task-id>","name":"Creating Service Accounts","status":"IN_PROGRESS" ...}
- Wait for the workflow from 4. to complete by tracking its status:
curl https://<sddc-manager-address>/v1/tasks/<task-id> --insecure -H "Content-Type: application/json" -H "Authorization: Bearer <API-TOKEN>"
- Get the {service-id} from the database:
psql -h localhost -d platform -U postgres -c "select serviceId from credential where targettype='ESXI';"
- Update serviceid and servicetype in the database:
psql -h localhost -d platform -U postgres -c "update credential SET serviceid='<service-id>', servicetype='SDDC_MANAGER' where username='svc-vcf-<esxi-shortname>';"
Scenario 2: If you have noticed that the ESXi hosts have leftover service accounts before starting Bringup Note: You can check on the ESXI hosts esxcli system account list.
For each host with a leftover service account, execute
step 3.