ESXi Lockdown Mode Explained
In an earlier post I mentioned that the upgrade to vSphere is the right time to make the decision between ESXi and ESX. In any experience with ESXi, you will undoubtedly notice the option in a number of places to enable ESXi Lockdown mode. Both platforms support Lockdown mode, but I want to focus on its behavior for ESXi host installations.
Lockdown mode simply removes any remote root-level access to the host through the vSphere Client. For managed installations using vSphere with vCenter, this is a safe configuration. Lockdown mode will require all communications to use the vCenter Agent on the ESXi system. When managed by vCenter, the communication between the ESXi host and vCenter uses a special user, called vpxuser. If lockdown mode is used, the most visible indication is that you cannot log into the ESXi host via the vSphere Client directly as root. Logging into a host (whether it be ESXi or ESX) directly with the vSphere or VI Client can make sense in certain troubleshooting situations, but generally if the host is managed by vCenter all client activity should be done there. Another side effect of enabling Lockdown mode would be any virtualization-specific tools that use the root account to access the ESXi host directly.
Lockdown mode does not, however, remove SSH access with the root account to the ESXi server if you have enabled it (see Fig. 1).
|Figure 1. An ESXi host is being added with the option to enable Lockdown mode. (Click image to view larger version.)
The next question is how does Lockdown mode affect any troubleshooting efforts that may be required for virtualization administrators? Not much, in my opinion. Through the physical console access via a monitor, HP iLO, Dell DRAC or otherwise direct access to the console of the system we are still able to access the main ESXi screen. This includes the option to restart the management network and restart the management agents. Further, the command line access is still available if needed on the ESXi host and Lockdown mode can be disabled on the fly.
Is Lockdown mode a security silver bullet? No. But it is a good practice if direct vSphere client connections should be prohibited to the hosts.
Posted by Rick Vanover on 09/10/2009 at 12:47 PM