To protect the integrity of the ESXi host, do not allow users to install unsigned (community-supported) VIBs. An unsigned VIB contains code that is not certified by, accepted by, or supported by VMware or its partners. Community-supported VIBs do not have a digital signature.
About this task
You can use ESXCLI commands to set an acceptance level for a host. The host's acceptance level must be the same or less restrictive than the acceptance level of any VIB you want to add to the host. To protect the security and integrity of your ESXi hosts, do not allow unsigned (CommunitySupported) VIBs to be installed on hosts in production systems.
The following acceptance levels are supported.
The VMwareCertified acceptance level has the most stringent requirements. VIBs with this level go through thorough testing fully equivalent to VMware in-house Quality Assurance testing for the same technology. Today, only IOVP drivers are published at this level. VMware takes support calls for VIBs with this acceptance level.
VIBs with this acceptance level go through verification testing, but the tests do not fully test every function of the software. The partner runs the tests and VMware verifies the result. Today, CIM providers and PSA plug-ins are among the VIBs published at this level. VMware directs support calls for VIBs with this acceptance level to the partner's support organization.
VIBs with the PartnerSupported acceptance level are published by a partner that VMware trusts. The partner performs all testing. VMware does not verify the results. This level is used for a new or nonmainstream technology that partners want to enable for VMware systems. Today, driver VIB technologies such as Infiniband, ATAoE, and SSD are at this level with nonstandard hardware drivers. VMware directs support calls for VIBs with this acceptance level to the partner's support organization.
The CommunitySupported acceptance level is for VIBs created by individuals or companies outside of VMware partner programs. VIBs at this level have not gone through any VMware-approved testing program and are not supported by VMware Technical Support or by a VMware partner.
- Connect to each ESXi host and verify that the acceptance level is set to VMwareCertified or VMwareAccepted by running the following command.
esxcli software acceptance get
- If the host acceptance level is not VMwareCertified or VMwareAccepted, determine whether any of the VIBs are not at the VMwareCertified or VMwareAccepted level by running the following commands.
esxcli software vib list esxcli software vib get -n vibname
- Remove any VIBs that are at the PartnerSupported or CommunitySupported level by running the following command.
esxcli software vib remove --vibname vib
- Change the acceptance level of the host by running the following command.
esxcli software acceptance set --level acceptance_level