While playing vSphere API last week, I got into an issue that I cannot disable the SSH server with Firewall APIs (see HostFirewallSystem). The following call would throw an exception:
Bothered by SLOW Web UI to manage vSphere? Want to manage ALL your VMware vCenters, AWS, Azure, Openstack, container behind a SINGLE pane of glass? Want to search, analyze, report, visualize VMs, hosts, networks, datastores, events as easily as Google the Web? Find out more about vSearch 3.0: the search engine for all your private and public clouds.
There are many other different services like “sshClient” whose ports can be enabled and disabled via the API. As a nice surprise, they all work just fine.
The issue puzzled me that why this SSH server is so special that only it fails the firewall API. Note that the services could be totally different behind the firewall but the filtering of ports should be pretty similar if not identical. I guess someone might have put in some logic to handle cases like ESXi lock-down mode. Anyway, it should have been QAed out because it can be easily automated with a script that runs against every new build.
To be sure it’s not a problem of my code, I further played with vSphere Client to disable the SSH server port there. No surprise that it didn’t work with an error dialog box popping up.
Was my environment special? I then searched the Internet and found a KB article “Disabling SSH services on an ESXi host using the vSphere Client fails with the error: Cannot change the host configuration” (http://kb.vmware.com/kb/2037544) in VMware community. Not only the issue was confirmed with ESXi 5.1, but a walk around is also provided.
So if you got into this issue, you’ve probably figured out what’s going on. If not yet, don’t be surprised if you’ll. You can try out the walk around in the KB. Hopefully it will be addressed in the next vSphere release. More than that is that the engineering team adds a test case to guard against the bug coming back.