Home > Virtualization > How to Hack vCenter Database in vCSA Appliance

How to Hack vCenter Database in vCSA Appliance

As @lamw documented in his blog, you can access the database in the vCenter software appliance (vCSA). In the first appliance of version 5.0, VMware included IBM DB2 Embedded and then switched to vPostgres right after. That’s because vPostgres is VMware’s own product based on the open source Postgres.

By default, the access to the vPostgress database is limited to local applications. In other words, if you want to access the database remotely, it will not work. After researching a little, I figured out how to configure the databse for remote access.

Time to learn how to "Google" and manage your VMware and clouds in a fast and secure

HTML5 App

In general, you should not touch the database but via vSphere API. But if you want to do something for development and testing, it should be fine. Before the hack, it’s always a good idea to back up the database.

For me, the biggest motivation is that I wanted to use the GUI tool – pgadmin3 for managing the database. It’s not possible to run it on the appliance as it is. Although doable, using the SQL command as follows to list all the tables and check their fields is not as easy a GUI tool.

vCSA:/# /opt/vmware/vpostgres/1.0/bin/psql -h localhost -U vc VCDB
psql (9.0.4)
Type "help" for help.
 
VCDB=> select table_schema, table_name FROM information_schema.tables ORDER BY table_name, table_schema;

Before hacking the vCenter appliance, let’s find a Ubuntu machine and install the software:

$ sudo apt-get install pgadmin3

Once you get it installed, you can start the application. In the connection wizard, you can input the needed parameters including the passord. There is no well-know password, but it’s saved in the /etc/vmware-vpx/vcdb.properties file. Copy it over to the GUI. The connection will be refused without tweaks to be introduced below.

First, open the /storage/db/vpostgres/postgresql.conf using vi editor, and search for the listen_addresses. Change the line to the following:

listen_addresses='*'

It means it would serve connections from any host. If you want to limit it to certain hosts, you can use the follwing (change them to your own addresses, but always keep 127.0.0.1.)

listen_addresses='127.0.0.1 10.10.8.8 192.168.10.10'

Second, open the /storage/db/vpostgres/pg_hba.conf, and change the IPv4 line as following:

host    all     all     0.0.0.0/0     trust

Lastly, you want to restart the database server so that the new configuration can take effect.

# /etc/init.d/vmware-vpostgres restart

When the above steps are done correctly, you can test it out with the pgAdmin GUI. You should be able to connect to vCenter database directly using the GUI. Viewing the records won’t hurt anything, but if you want to update any tables, make sure you back up the database or get ready to install the vCenter appliance again.

The tricky part of the vCenter database is that it has many more than tables than anyone want to browse through, and lots of useful data you want to check is somehow encoded in binary field. So the power of accessing the database directly is limited.

Have fun with hacking the vCenter database.

  1. adam savage
    March 17th, 2015 at 11:44 | #1

    good afternoon,

    I was able to get this working fine on the 5.5 appliance but it would appear that the 6.0 appliance has more security possibly? i updated the same appliance to 6.0 from 5.5 but pgadmin3 doesnt seem to want to connect anymore even after i’ve applied the changes above. thoughts?

    thank you,

    Adam Savage

  2. March 17th, 2015 at 11:48 | #2

    Haven’t looked at the 6.0. No idea what has changed.

    Should you find anything there, please feel free to share.

    Steve

  3. March 21st, 2015 at 14:32 | #3

    You need to allow PostgreSQL through the VCSA firewall. Take a look at http://nilic.github.io/2015/03/21/exploring-vcsa-embedded-postgresql-database/

  1. No trackbacks yet.