ESXi Host Compliance Unknown Due to esxupdate LockFile Errors
search cancel

ESXi Host Compliance Unknown Due to esxupdate LockFile Errors

book

Article ID: 442336

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server

Issue/Introduction

  • ESXi hosts report an "Unknown" compliance state during vSphere Lifecycle Manager (vLCM) baseline scans.

  • The vCenter /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log displays recurring depot connection errors indicating telemetry failures from the host:

    info vmware-vum-server[811354] [Originator@6876 sub=Telemetry] [TelemetryManager 261] Sending telemetry data: {"@type":"pman_error_report","taskId":"<######>","entityId":"<######>|<HOSTNAME>","parentTaskId":"","errorMessageId":"com.vmware.vcIntegrity.lifecycle.EsxImage.DepotConnectError","errorMessage":"An error occurred while connecting to depot."}
  • Simultaneously, the ESXi host /var/log/esxupdate.log shows resource locking errors followed immediately by cryptographic VIB signature verification failures:
    LockFile: ERROR: Error locking file /var/run/liveimgdb.pid: [Errno 11] Resource temporarily unavailable, the file is currently locked by process with PID ####
LockFile: ERROR: Error locking file /var/run/bootbankimgdb.pid: [Errno 11] Resource temporarily unavailable, the file is currently locked by process with PID ####
vmware.esximage.Vib: ERROR: Failed to verify VIB signature #2: ('VMware_bootbank_lsuv2-lsiv2-drivers-plugin_####vmw.#########', 'Could not find a trusted signer: self signed certificate')

Environment

VMware vSphere ESXi
VMware vCenter Server

Cause

  • Stale or hung esxupdate processes create orphaned file locks on the ESXi image databases (/var/run/liveimgdb.pid and /var/run/bootbankimgdb.pid).

  • This prevents the esxupdate daemon from establishing a clean working directory and accessing its trusted certificate store, forcing cryptographic signature validation of standard VIBs to fail securely and aborting the vLCM baseline scan.

Resolution

  • Establish an SSH session to the affected ESXi host as root.

  • Terminate the hung esxupdate processes by executing the following command: kill -9 $(lsof | grep esxupdate | awk '{print $1}')

  • Manually remove the stale database lock files:

    rm /var/run/liveimgdb.pid
    rm /var/run/bootbankimgdb.pid

  • Restart the core management agents to reinitialize the state safely. To prevent disruption to NSX, vSAN, or shared graphics workloads, bypass the services.sh script and use the targeted commands:

    /etc/init.d/hostd restart
    /etc/init.d/vpxa restart

  • Return to the vSphere Client and re-run the cluster baseline compliance scan.

Additional Information

Checking image compliance on ESXi fails

Restarting the Management agents in ESXi

ESXi upgrade failure due to expired VIB

Powered by Wolken Software