How to Hack vCenter Database in vCSA Appliance

As @lamw documented in his blog, you can access the database in the vCenter software appliance (vCSA). In the first appliance of version 5.0, VMware included IBM DB2 Embedded and then switched to vPostgres right after. That’s because vPostgres is VMware’s own product based on the open source Postgres.

By default, the access to the vPostgress database is limited to local applications. In other words, if you want to access the database remotely, it will not work. After researching a little, I figured out how to configure the databse for remote access.

Bothered by SLOW Web UI to manage vSphere? Want to manage ALL your VMware vCenters, AWS, Azure, Openstack, container behind a SINGLE pane of glass? Want to search, analyze, report, visualize VMs, hosts, networks, datastores, events as easily as Google the Web? Find out more about vSearch 3.0: the search engine for all your private and public clouds.

In general, you should not touch the database but via vSphere API. But if you want to do something for development and testing, it should be fine. Before the hack, it’s always a good idea to back up the database.

For me, the biggest motivation is that I wanted to use the GUI tool – pgadmin3 for managing the database. It’s not possible to run it on the appliance as it is. Although doable, using the SQL command as follows to list all the tables and check their fields is not as easy a GUI tool.

vCSA:/# /opt/vmware/vpostgres/1.0/bin/psql -h localhost -U vc VCDB
psql (9.0.4)
Type "help" for help.
 
VCDB=> select table_schema, table_name FROM information_schema.tables ORDER BY table_name, table_schema;

Before hacking the vCenter appliance, let’s find a Ubuntu machine and install the software:

$ sudo apt-get install pgadmin3

Once you get it installed, you can start the application. In the connection wizard, you can input the needed parameters including the passord. There is no well-know password, but it’s saved in the /etc/vmware-vpx/vcdb.properties file. Copy it over to the GUI. The connection will be refused without tweaks to be introduced below.

First, open the /storage/db/vpostgres/postgresql.conf using vi editor, and search for the listen_addresses. Change the line to the following:

listen_addresses='*'

It means it would serve connections from any host. If you want to limit it to certain hosts, you can use the follwing (change them to your own addresses, but always keep 127.0.0.1.)

listen_addresses='127.0.0.1 10.10.8.8 192.168.10.10'

Second, open the /storage/db/vpostgres/pg_hba.conf, and change the IPv4 line as following:

host    all     all     0.0.0.0/0     trust

Lastly, you want to restart the database server so that the new configuration can take effect.

# /etc/init.d/vmware-vpostgres restart

When the above steps are done correctly, you can test it out with the pgAdmin GUI. You should be able to connect to vCenter database directly using the GUI. Viewing the records won’t hurt anything, but if you want to update any tables, make sure you back up the database or get ready to install the vCenter appliance again.

The tricky part of the vCenter database is that it has many more than tables than anyone want to browse through, and lots of useful data you want to check is somehow encoded in binary field. So the power of accessing the database directly is limited.

Have fun with hacking the vCenter database.

This entry was posted in Virtualization and tagged , , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

3 Comments

  1. adam savage
    Posted March 17, 2015 at 11:44 am | Permalink

    good afternoon,

    I was able to get this working fine on the 5.5 appliance but it would appear that the 6.0 appliance has more security possibly? i updated the same appliance to 6.0 from 5.5 but pgadmin3 doesnt seem to want to connect anymore even after i’ve applied the changes above. thoughts?

    thank you,

    Adam Savage

  2. Posted March 17, 2015 at 11:48 am | Permalink

    Haven’t looked at the 6.0. No idea what has changed.

    Should you find anything there, please feel free to share.

    Steve

  3. Posted March 21, 2015 at 2:32 pm | Permalink

    You need to allow PostgreSQL through the VCSA firewall. Take a look at http://nilic.github.io/2015/03/21/exploring-vcsa-embedded-postgresql-database/

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  • NEED HELP?


    My company has created products like vSearch ("Super vCenter"), vijavaNG APIs, EAM APIs, ICE tool. We also help clients with virtualization and cloud computing on customized development, training. Should you, or someone you know, need these products and services, please feel free to contact me: steve __AT__ doublecloud.org.

    Me: Steve Jin, VMware vExpert who authored the VMware VI and vSphere SDK by Prentice Hall, and created the de factor open source vSphere Java API while working at VMware engineering. Companies like Cisco, EMC, NetApp, HP, Dell, VMware, are among the users of the API and other tools I developed for their products, internal IT orchestration, and test automation.