The vrm-cli tool is a command-line utility to perform tasks primarily related to looking up and rotating passwords and syncing properties between racks. You can also perform some configuration tasks using this tool.

The vrm-cli tool is located in /home/vrack/bin in the SDDC Manager virtual machine's file system. Only the root account can run the vrm-cli tool. To run a command, change to the /home/vrack/bin directory and type ./vrm-cli.sh followed by the command.

./vrm-cli.sh <command>

To list the available vrm-cli tool commands, use the following command.

./vrm-cli.sh help

To connect to the SDDC Manager database through the vrm-cli, you must switch to the postgres user.

su --login postgres

Important:

You should stop the vrm-watchdogserver and vrm-tcserver services before running these commands. Even though some of the vrm-cli tool's commands can run without you explicitly stopping the services, it is a best practice to stop both services before running any vrm-cli.sh command. Then when you are done running the commands, restart the vrm-watchdogserver service, which will also restart the vrm-tcserver service.

rack-1-vrm-1:/home/vrack/bin # service vrm-watchdogserver stop
Stopping watchdog
rack-1-vrm-1:/home/vrack/bin # service vrm-tcserver stop
Instance is running as PID=21972, shutting down...
Instance is running PID=21972, sleeping for up to 10 seconds waiting for shutdown
Instance shut down gracefully
rack-1-vrm-1:/home/vrack/bin # ./vrm-cli.sh 
all credentials for all hosts:
...
...
rack-1-vrm-1:/home/vrack/bin # service vrm-watchdogserver start
Starting watchdog
Successfully started watchdog.

Lookup Commands

Use these commands to look up information about entities managed by SDDC Manager.

Table 1. vrm-cli Lookup Commands

Command

Subcommands and Input

Description

lookup-esxi

None

Lists the IP addresses of the ESXi hosts that are visible in-band to the rack's HMS agent, for the rack on which the command is run.

lookup-domains

None

Queries the environment's logical inventory for the management and workload domains and lists their names.

lookup-history

store

latest

timestamp yyyy-mm-dd.hh:mm:ss

Manages and retrieves the password history recorded in Zookeeper.

./vrm-cli.sh lookup-history store records the local rack's current password state into Zookeeper.

./vrm-cli.sh lookup-history latest lists the account information from the most recent history recorded in Zookeeper.

./vrm-cli.sh lookup-history timestamp yyyy-mm-dd.hh:mm:ss lists the password-rotation history associated with the specified timestamp.

lookup-password

None

Retrieves and lists the account credentials for the built-in accounts that are managed and rotated by SDDC Manager. See also Look Up Account Credentials Using the Lookup-Password Command.

lookup-password-sso

None

Lists the SSO domains, users, and passwords that are managed by the vrm-cli tool.

lookup-psc

None

Lists information about the Platform Services Controller instances that are visible in the logical inventory.

lookup-rack

None

Lists the physical racks currently visible in the inventory, by UUID and name.

lookup-vcenter

None

Lists the IP addresses of the vCenter Serverinstances that are visible in the inventory.

lookup-vrm

None

Lists information about the SDDC Manager virtual machines that are visible in the inventory.

Password Rotation, Set Up, and Generation Commands

Use these commands to rotate passwords to software-generated randomized passwords for the accounts that are managed by SDDC Manager, set up ESXi host passwords, and generate passwords that adhere to the SDDC Manager password policies.

Note:

Because some items in your installation's inventory are managed across all racks in the installation while other inventory items can only be managed from their controlling rack, the command's behavior is based on whether it is run in the first rack's SDDC Manager virtual machine or on subsequent racks. In the table, the term visible is used to indicate those inventory items that are visible to the command and to the HMS agent for the SDDC Manager in which the command is run. When run from a specific rack's SDDC Manager virtual machine, the resources in that rack are the ones visible to the command. See On-Demand Password Rotation in Your Cloud Foundation Installation

Table 2. vrm-cli Password Rotation, Set Up, and Generation Commands

Command

Subcommands and Input

Description

rotate-all

None

Rotates passwords for all inventory items that are visible and safe to automatically rotate, except for the IPMI passwords. The IPMI passwords are rotated using rotate-password-ipmi.

rotate-password-esx

None

Rotates passwords for the service console accounts for all of the visible ESXi hosts.

rotate-password-ipmi

None

Rotates IPMI passwords, for all of the visible ESXi hosts.

rotate-password-isvm

None

Rotates passwords of the visible ISVM virtual appliances.

rotate-password-lcm

None

Rotates passwords on resources identified as LCM.

rotate-password-lcm-backup

None

Rotates passwords on resources identified as LCM-Backup resources.

rotate-password-li-api

None

Rotates the vRealize Log Insight API password.

rotate-password-li-ssh

None

Rotates the vRealize Log Insight virtual appliance's console user password.

rotate-password-nsx

None

Rotates the NSX Manager virtual appliances' SSH password using the NSX Manager REST API.

rotate-password-nsx-controller

None

Rotates passwords for the visible NSX controllers using the NSX Manager REST API.

rotate-password-postgres

None

Rotates the password for Postgres.

rotate-password-psc

None

Rotates passwords for the visible Platform Services Controller appliances.

rotate-password-sso

host user

host user old-password new-password

Rotates the password for a specified SSO user on a specified Platform Services Controller appliance. If no host and user are specified, then all visible SSO users have their password credentials rotated. You can optionally supply the old password and a new password for a specific user.

rotate-password-switch

None

Rotates passwords for the visible switches.

rotate-password-tor-switch

None

Rotates passwords for the visible ToR switches.

rotate-password-vcenter

None

Rotates passwords for the visible vCenter Server appliances' console user password for the visible virtual appliances.

rotate-password-vrops-api

None

Rotates the vRealize Operations Manager API password.

rotate-password-vrops-ssh

None

Rotates the vRealize Operations Manager virtual appliance's console user password.

setup-password-esx

host-ip current-password

Used by SDDC Manager when you add or replace a server. Manual use of this command is not generally needed.

generate-password

length

Used by SDDC Manager. Manual use of this command is not generally needed.

Generates a password and prints it to the command line. The generated passwords conform to the environment's password policies.

decrypt

encrypted-text

Decrypts the input text and prints the output to the command line.

Primarily used by SDDC Manager. Manual use of this command is not generally needed.

encrypt

plain-text

Encrypts the input text and prints the output to the command line.

Configuration-Related Commands

Use these commands for special configuration operations.

Table 3. vrm-cli Configuration-Related Commands

Command

Subcommands and Input

Description

configure-snmp

full-path-to-input-json-file

Configures use of an external SNMP management server for the ToR and spine switches for the rack in which the command is run. With this command, you can use your existing network monitoring tools to monitor the switches on a rack using SNMP. Each rack in your installation has two ToR switches. Additionally, the second rack in a multirack installation has the two spine switches for the installation.

SNMP v3 provides secure communication between the switches and your SNMP management server.

The input to this command is the full absolute path to a JSON file, including the file name. In the JSON file, the required JSON input is

{
"enabled": true,       # if enabled is true, turn on SNMP on switches; if enabled is false or omitted, disable SNMP on switches
"serverIp": "nnn.nnn.nnn.nnn",  # SNMP server IP address or hostname
"serverPort": nnn,              # (optional) SNMP server port (default = 162)
"users": [             # User accounts SDDC Manager uses to connect to the SNMP server
  {
   "username": "snmpuser1",
   "authType": "SHA",    # (optional) either SHA or MD5
   "authPassword": "auth password",  # (optional) Passphrase for authentication
   "privType": "AES",      # (optional) either AES or DES
   "privPassword": "priv password" # (optional) Passphrase for privacy
  }
  {
   "username": "snmpuser1",
   "authType": "SHA",    # (optional) either SHA or MD5
   "authPassword": "auth password",  # (optional) Passphrase for authentication
   "privType": "AES",      # (optional) either AES or DES
   "privPassword": "priv password" # (optional) Passphrase for privacy
       }
    ]
}

Where:

  • serverIP is your SNMP management server's IP address or host name

  • serverPort is that server's SNMP port. If not specified, port 162 is used as the default.

  • Specified users that are used for the connection to your SNMP management server, as configured in its management software.

To disable SNMP on the switches, set "enabled": false in the JSON, or omit the "enabled" line.

You must provide the full path to the JSON file, even if the JSON file resides in the same /home/vrack/bin directory from which you are running the ./vrm-cli.sh configure-snmp command.

As an example, if you copy a JSON file named enablesnmp.json into the VRM VM's /home/vrack/bin directory where the vrm-cli.sh file is located, log in to the VRM VM, change directories to home/vrack/bin, then to perform the configure SNMP operation, you type:

./vrm-cli.sh configure-snmp /home/vrack/bin/enablesnmp.json

configure-syslog

None

Configures syslog on the switches for the rack in which the command is run. See Configure Syslog from the Switches to vRealize Log Insight.

sync-properties

None

Syncs properties between the primary rack and a new rack that you are adding to the environment.

See the VMware Cloud Foundation Overview and Bring-Up Guide for details about running the command when adding a new rack. See About the Primary Rack and the SDDC Manager Virtual IP Address for the definition of the primary rack.