How to use ESXTOP access with read-only account

Luciano PatrãoICT Senior Infraestructure  Engineer  
vExpert vSAN, NSX, Cloud Provider, Veeam Vanguard, Virtual Backups, and Storage design, and an active blogger.
Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root account.
There are some 3rd party tools that you can use, without the need to access the ESXi host shell console (using ssh). Normally these type of tools needs root permissions.
To find a solution for a read-only user (or minimum non-root), first is to identify what are the permissions that a user needs to access the esxtop.
I found a good article from William Lam regarding this esxtop and user permissions.
You need to create a role (in the ESXi hosts) with these permissions: Global - Service Managers
esxtop-04.jpgYou need to ensure that you create the same user in all ESXi hosts and associate the user with this role created in the previous step.
After you have your user and roles created in all ESXi hosts, you can now start to test some of the tools.
The tools that I tested are:
Option 1: visualextop
You can download and read about this Fling tool in VMware labs:
This tool runs locally as a java application on your laptop, or server and you can check your esxtop statistics like in the Windows Performance Monitor (perfmon).
Just run the tool (the vtop.bat file) and add your ESXi host credentials (for read-only users, use the user created in the previous step).

esxtop-01.jpgesxtop-02.jpgI think this is a good tool. The only problem is that doesn't display VMs names, only World ID. World ID is an ID set in the ESXi host process for running VMs. For a user to identify which VM belongs to, it needs to login to ESXi shell console and checks VMs and their World ID (using esxcli vm process list command you get VMs World ID), or you can create a small PowerCli script to provide that list.
In the second tool, you do not need to use a read-only user since you can run the tool in the vSphere Web Client directly.
Option 2: ESXtopNGC
You can download and read about this Fling tool in VMware labs:
Note: This tool is only supported for vCenter 5.5 and above (I only tested in 5.5 and 6.0).
This tool is installed in the vCenter Web Client (for VCSA and Windows vCenter).
  • vCenter Appliance
First, you need to upload the files to the vCenter Appliance (VCSA) /root. You can use a tool like WinSCP to upload files into your VCSA.
Note: When you try to connect to your VCSA using WinSCP you could get a message similar to this one:
esxtop-03.jpg##Connect to your VCSA shell console,  if bash shell is not enabled, you need to enable.
Using username "root".
                      VMware vCenter Server Appliance
                      Type: vCenter Server with an embedded Platform Services Controller
                      Last login: Sun Mar  5 15:26:58 2017 from unknown705a0f80b103.domain_not_set.invalid
                      Connected to service
                          * List APIs: "help api list"
                          * List Plugins: "help pi list"
                          * Enable BASH access: "shell.set --enabled True"
                          * Launch BASH: "shell"
                      Command> shell.set --enable True
                      Command> shell
                          ---------- !!!! WARNING WARNING WARNING !!!! ----------
                      Your use of "pi shell" has been logged!
                      The "pi shell" is intended for advanced troubleshooting operations and while
                      supported in this release, is a deprecated interface, and may be removed in a
                      future version of the product.  For alternative commands, exit the "pi shell"
                      and run the "help" command.
                      The "pi shell" command launches a root bash shell.  Commands within the shell
                      are not audited, and improper use of this command can severely harm the
                      Help us improve the product!  If your scenario requires "pi shell," please
                      submit a Service Request, or post your scenario to the
             forum and add
                      "appliance" tag.
                      nested-vcenter-06:~ #

Open in new window

In the VCSA Bash shell, run this command to change the default shell to Bash: chsh -s /bin/bash root

nested-vcenter-06:~ # chsh -s /bin/bash root
                      Changing login shell for root.
                      Shell changed.
                      nested-vcenter-06:~ #

Open in new window

After you should be able to connect to VCSA and upload the plugin file to /root

##unzip the file

Run the following commands:

nested-vcenter-06:/ # unzip -d /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin
                        inflating: /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/plugin-package.xml
                        inflating: /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/plugins/10-org.apache.servicemix.bundles.commons-lang-2.4_6.jar
                        inflating: /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/plugins/1-org.apache.servicemix.bundles.xmlpull-
                        inflating: /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/plugins/2-org.apache.servicemix.bundles.xstream-1.4.7_1.jar
                        inflating: /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/plugins/3-commons-cli-1.2.jar
                        inflating: /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/plugins/4-javax.servlet-api-3.0.1.jar
                        inflating: /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/plugins/5-org.apache.servicemix.bundles.junit-4.11_2.jar
                        inflating: /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/plugins/6-org.apache.servicemix.bundles.spring-core-4.0.5.RELEASE_1.jar
                        inflating: /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/plugins/7-org.apache.servicemix.bundles.spring-beans-4.0.5.RELEASE_1.jar
                        inflating: /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/plugins/8-org.apache.servicemix.bundles.spring-context-4.0.5.RELEASE_1.jar
                        inflating: /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/plugins/9-org.apache.servicemix.bundles.commons-jexl-1.1_5.jar
                        inflating: /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/plugins/esxtop-ngc-svc-1.0.0.jar
                        inflating: /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/plugins/esxtop-ngc-ui-war-1.0.0.war
                      nested-vcenter-06:/ # chmod -R 777 /usr/lib/vmware-vsphere-client/plugin-packages/esxtop-plugin/
                      ## restart vSphere Client
                      nested-vcenter-06:/ # etc/init.d/vsphere-client restart
                      Last login: Sun Mar  5 10:53:13 UTC 2017 on console
                      Stopping VMware vSphere Web Client...
                      Stopped VMware vSphere Web Client.
                      Starting VMware vSphere Web Client...
                      Waiting for VMware vSphere Web Client......
                      running: PID:16853
                      ## To return to the Appliance Shell, run this command:
                      nested-vcenter-06:/ # chsh -s /bin/appliancesh root
                      Changing login shell for root.
                      Shell changed.
                      nested-vcenter-06:/ #

Open in new window

After the plugin installation is finished for VCSA.

  • Windows vCenter
Download the file and unzip this file into the plugin-packages folder in your Windows vCenter Server.
Depending your Windows version, browse to C:\Program Files\VMware\Infrastructure\vSphereWebClient\plugin-packages or C:\Program Files\VMware\vCenter Server\WebClient\plugin-packages
After restart your vSphere Web Client service
esxtop-05.jpgNow let's check the ESXtop plugin. Login to your vCenter with vSphere Web Client.
If you get:
The vSphere Client web server is initializing
The vSphere Client web server is still initializing. Please try again shortly.
VMware vSphere Documentation and Support
Wait 1 or 2 minutes, Web Client is still restarting.
After successful login: Select Hosts and Clusters select one ESXi host click Monitor tab and then you should see the plugin tab with the name TOP.
As you can see in the above image, the plugin have all the options from the esxtop. You can export the data by clicking the button "Start exporting stats", and you can change the refresh rate clicking on the button "Set Refresh Rate". The default is 15 seconds.
Important note: Some users complain that after installing this plugin, the VDP plugin disappears, or stop working (or even other plugins). Using Windows vCenter 6.0 and VCSA, I was not able to test this scenario, so test this plugin in a non-Production environment before you install this in Production vCenters.
Last option to use a user without the need to root access to our ESXi hosts shell console to use esxtop.
Option 3 (this was the option I used for our Project request): Create a user in ESXi host with admin permissions
Note: This solution needs to be applied to all ESXi hosts you want to give access to ESXTOP.
First, you need to login to ESXi host and create the user:
Click users tab and click right mouse button and choose add.
  1. Add login name and user name (optional).
  2. Add and confirm user password (ESXi uses complex passwords).
Note: If you get "User name or password has an invalid format", please check
  • Weak password: not enough different characters or classes.
  • Weak password: too short.
  • Weak password: based on a dictionary word and not a passphrase.
  • User name or password has an invalid format
  • The user name can be invalid if it contains a special character.
  • The password can be invalid if it does not contain a letter, a number, and a special character.
esxtop-03-02.jpgAfter you create the user you will see the user in the ESXi host user list.
Next click on the Permissions tab.
Again, click right mouse button and choose add option.
Now let's add administrator permissions to the user you created above.
Add the user to the administrator permissions.
esxtop-03-06.jpgesxtop-03-07.jpgNow you have the user with administrator permissions.
After you have the user with the proper permissions. You now need to login to the ESXi host shell console with that user and change the user shell to only run esxtop for this specific user.
Shell user is in /etc/passwd file, so you need to change this file.
The default is esxtop:x:1000:1000:esxtop:/:/bin/sh and you need to change to esxtop:x:1000:1000:esxtop:/:/bin/esxtop
[esxtop@DL360-ESXi03:~] vi /etc/passwd
                      daemon:x:2:2:System daemons:/:/sbin/nologin
                      nfsnobody:x:65534:65534:Anonymous NFS User:/:/sbin/nologin
                      dcui:x:100:100:DCUI User:/:/sbin/nologin
                      vpxuser:x:500:100:VMware VirtualCenter administration account:/:/bin/sh

Open in new window

Now every time this user esxtop log in to the ESXi host using ssh automatically the ESXTOP will run. The user can now work with the tool with all permissions, but after exit, the ESXTOP ESXi host shell console will close. Therefore this user will never have direct access to the shell console itself.

Hope this information was useful.

This article is the part of my "TIP Articles". So, please vote "Helpful" on this Article. And I encourage your comments and feedback.
Luciano PatrãoICT Senior Infraestructure  Engineer  
vExpert vSAN, NSX, Cloud Provider, Veeam Vanguard, Virtual Backups, and Storage design, and an active blogger.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.