Frequent vpxuser logins using user agent pyvmomi
search cancel

Frequent vpxuser logins using user agent pyvmomi

book

Article ID: 421210

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • The following event logs are observed in /var/run/log/hostd.log
                 YYYY-MM-DDT0HH:MM:SS In(166) Hostd[2103240]: [Originator@6876 sub=Vimsvc.ha-eventmgr opID=esxcli-f3### sid=52####] Event 345### : User [email protected] logged in as pyvmomi Python/3.8.18 (VMkernel; 8.0.2; x86_64)
                 YYYY-MM-DDT0HH:MM:SS In(166) Hostd[2103224]: [Originator@6876 sub=Solo.VmwareCLI opID=esxcli-f3### sid=52#### user=vpxuser] Dispatch network.nic.get
                 YYYY-MM-DDT0HH:MM:SS In(166) Hostd[2103224]: [Originator@6876 sub=Solo.VmwareCLI opID=esxcli-f3### sid=52#### user=vpxuser] Dispatch network.nic.get done
                 YYYY-MM-DDT0HH:MM:SS In(166) Hostd[2103201]: [Originator@6876 sub=Vimsvc.ha-eventmgr opID=esxcli-f3### sid=52#### user=vpxuser] Event 345### : User [email protected] logged out (login time: Month, Day, Year 08:13:59 AM, number of API invocations: 7, user agent: pyvmomi Python/3.8.18 (VMkernel; 8.0.2; x86_64))
                 YYYY-MM-DDT0HH:MM:SS In(166) Hostd[2103224]: [Originator@6876 sub=Vimsvc.HaSessionManager opID=esxcli-f3### sid=52####] Accepted password for user vpxuser from 127.0.0.1 - session=521fc###############
  • As per /var/run/log/auth.log, we see the below entries:
                 YYYY-MM-DDT0HH:MM:SS In(38) sshd[43281###]: Connection from #.#.#.# port ####
                 YYYY-MM-DDT0HH:MM:SS In(38) sshd[43281###]: Accepted keyboard-interactive/pam for username from #.#.#.# port #### ssh2
                 YYYY-MM-DDT0HH:MM:SS In(86) sshd[43281###]: pam_unix(sshd:session): session opened for username by (uid=0)
                 YYYY-MM-DDT0HH:MM:SS In(38) sshd[43281###]: User 'username' running command 'esxcli system visorfs ramdisk list'
  • We see certain cron jobs as given below, which tries to query the host to collect the nic and storage information:
            2104347 python  /opt/vxrail/bin/main.py
            443708131 python  /sbin/esxcli storage san fc list
            443708153 python  /sbin/esxcli network nic get -n vmnic#

Environment

VMware vSphere ESXi 7.x

VMware vSphere ESXi 8.x

 

 

Cause

  • VXRail Manager needs to query the platform service on the ESXi hosts roughly every 15 minutes.
  • It will use the VXRail user to perform those queries.
  • VXRail Manager will use a pyvmomi API call to perform the query where the authentication request will be done through the vpxuser.

Resolution

This is an expected behavior while having integration with VXRail manager since the VXRail user tries to collect the cluster information every 15 minutes.

Powered by Wolken Software