While playing vSphere API last week, I got into an issue that I cannot disable the SSH server with Firewall APIs (see HostFirewallSystem). The following call would throw an exception:
Lost VMs or Containers? Too Many Consoles? Too Slow GUI? Time to learn how to "Google" and manage your VMware and clouds in a fast and secure HTML5 App.
There are many other different services like “sshClient” whose ports can be enabled and disabled via the API. As a nice surprise, they all work just fine.
The issue puzzled me that why this SSH server is so special that only it fails the firewall API. Note that the services could be totally different behind the firewall but the filtering of ports should be pretty similar if not identical. I guess someone might have put in some logic to handle cases like ESXi lock-down mode. Anyway, it should have been QAed out because it can be easily automated with a script that runs against every new build.
To be sure it’s not a problem of my code, I further played with vSphere Client to disable the SSH server port there. No surprise that it didn’t work with an error dialog box popping up.
Was my environment special? I then searched the Internet and found a KB article “Disabling SSH services on an ESXi host using the vSphere Client fails with the error: Cannot change the host configuration” (http://kb.vmware.com/kb/2037544) in VMware community. Not only the issue was confirmed with ESXi 5.1, but a walk around is also provided.
So if you got into this issue, you’ve probably figured out what’s going on. If not yet, don’t be surprised if you’ll. You can try out the walk around in the KB. Hopefully it will be addressed in the next vSphere release. More than that is that the engineering team adds a test case to guard against the bug coming back.