How to get fully (root) access to NSX-v appliances (Manager & Edge) & NSX Intelligence

If you have ever tried to troubleshoot an NSX-v Management Appliance or Edge, you probably noticed that you are quite limited in the execution of your controls. That’s because in NSX-v you are standardly limited with most of the time only esxcli, even when you are logged in as admin.

To get past that you need to enter Engineering Mode.
However, this is quite simple for the Manager, but more difficult for the Edge.

Let’s see how we can get into Engineering Mode for both systems.

*Precaution*.
Only do the following procedure if you know exactly what you are doing. The following procedure is actually only meant for when you already have support of GSS. Carelessly altering the NSX-v OS can break the whole system beyond repairing. Do make sure you also have a back-up in case something goes wrong.

So a big part of the procedure can be found in this kb.
However, not everything is documented like the accessing Engineering Mode for the Edge Appliance.

Entering Engineering Mode for the NSX-v Manager

First Authentication: from a vSphere console, or from a SSH client, log in to the NSX Manager using your administrator user name and password that you supplied at install, or using the latest credentials if they have changed since installation.
Then we need to authenticate for the second time.
From the NSX Manager CLI, type en or

enable

and press enter. Use the same password that you used at installation time. If correct, you are in “enable mode”.
Think of enable mode as a version of “root access”.

From your double authenticated enable mode prompt, enter engineering mode by typing st eng<enter>.

Note: As of NSX for vSphere 6.3.2, you now have to acknowledge the following warning:

Engineering Mode: The authorized NSX Manager system administrator is requesting a shell which is able to perform lower level unix commands/diagnostics and make changes to the appliance. VMware asks that you do so only in conjunction with a support call to prevent breaking your virtual infrastructure. Please enter the shell diagnostics string before proceeding.Type Exit to return to the NSX shell. Type y to continue: y
Password:

To continue type Y

Then type the password:

IAmOnThePhoneWithTechSupport

At this point you are at a bash prompt.

*Note: if you get an error which says “ERROR: Engineering Mode disabled”, then you can enable it with the following command:

debug engineeringmode enable

Which is often needed for the edge.

Once you’ve entered the password you should be in engineering mode with a bash prompt.

Entering Engineering Mode for the NSX-v Edge
So the procedure for Engineering Mode in the Edge is almost exactly the same, except for one thing. The password that you need to enter for “enable” mode is different.

Most likely the Edges in your environment don’t have a standard password or the ones you came up during the deployment. To get the password for the Edge, we need to do one thing first. We’re going to lookup the password, by executing a command in the NSX manager that is managing the edge. For this to work, you need to be in Engineering mode at the NSX Manager

In this example, I want to get the password for the Edge that has the id “edge-5”. Which you can find back in the “NSX Edge” tab / view in the vSphere client.

To get the command type

/home/secureall/secureall/sem/WEB-INF/classes/GetSpockEdgePassword.sh edge-number

In my case this is:

/home/secureall/secureall/sem/WEB-INF/classes/GetSpockEdgePassword.sh edge-5

Once you have the password, use it for enable mode at the edge that you want to troubleshoot.
The rest of the procedure is the same as before.

Afbeelding met tekst

Automatisch gegenereerde beschrijving

Entering Engineering Mode for the NSX Intelligence

Entering Engineering Mode for NSX Intelligence is much simpeler.
You just login as admin and type

st eng

Then you give up the password of the root during deployment which is most likely the same as the admin, since you can keep those the same if you selected that (during deployment).

After that you’re logged in.
No enable mode, “IAmOnThePhoneWithTechSupport” password or debug needed.

Afbeelding met tekst

Automatisch gegenereerde beschrijving

That’s it, I hope this was helpful for you.
If by any change you feel uncomfortable by doing this procedure, don’t hesitate to call VMware Support / GSS. That’s what they are for.

 

↑↑ Follow me on my Socialz ↑↑ - Or - ↓↓ Care & Share ↓↓

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.