Skip to main content

 Reset root password on all Aria Automation / Orchestrator nodes of a cluster, where there is access on a node but locked out of other nodes

https://knowledge.broadcom.com/external/article?articleNumber=326122


Products

VMware Aria Suite

Issue/Introduction

It is preferable to avoid a reboot, as starting up to k8s pods being "Ready" takes many minutes.

Symptoms:

When logging in to Aria Automation or Orchestrator nodes as root over SSH or on VM Console, we are unable to log in for any reason.

For example, we may be shown:

Access Denied.

Often, we have access on 1 or 2 nodes, but need to restore root access to the other(s).

Environment

Aria Automation 8.x
Aria Automation Orchestrator 8.x

Cause

There are many potential causes for root access denied on Linux:

  1. Account is locked due to unsuccessful attempts or other PAM failure thresholds - (pam_tally2)
  2. Password expired due to maxdays from change exceeded. Often a successful login allows (and demands) password change. 
  3. The account password is locked: passwd -S shows L as 2nd value
  4. The PAM settings have been changed to non-standard values for Aria Automation / Orchestrator
  5. We just don't know the password

These reasons are per-node, and so in many cases we have access to 1 or 2 nodes

Resolution

Please see the numbered list of potential causes above.

1. Unlock account (PAM) on all nodes:

  • You can check if the failures exceeds the maximum (default: 3 attempts needs 5 mins' wait)
    • vracli cluster exec -- bash -c 'hostname; pam_tally2 -u root'
  • Unlock root on all nodes:
    • vracli cluster exec -- bash -c 'hostname; pam_tally2 -u root --reset'

2 & 3. Review these settings on all nodes:

  • vracli cluster exec -- bash -c 'hostname; passwd -S root'

2. If the date in the 3rd value + the days in the 5th value has passed, you can disable this expiry:

  • vracli cluster exec -- bash -c 'hostname; passwd -x -1 root'
  • Once access is restored, reset maxdays expiry to 1 year:
    • vracli cluster exec -- bash -c 'hostname; passwd -x 365 root'

3. Unlock password for account if there is an L as the second value to passwd -S  :

  • vracli cluster exec -- bash -c 'hostname; passwd -u root'

4. Please review all files in /etc/pam.d on customer system with reference to a fresh lab Aria Automation/Orchestrator system of same version.

  • If any are different to the standard, please revert to standard values and/or review the manpages for PAM
  • Get it working with standard values and customer can attempt to make unsupported modifications in a change window, at their own peril

5. Change password on all nodes to NewTemporaryPassword:

  • vracli cluster exec -- bash -c 'hostname; echo -e "NewTemporaryPassword\nNewTemporaryPassword" | passwd'
  • Once access is restored using NewTemporaryPassword, you can change to a desired password. Run on each node:
    • passwd

Additional Information

Impact/Risks:

This article is to avoid the impact of a reboot.

The reboot option is available here (impacting):Resetting the root password on a Photon appliance in VMware Aria Automation

 

Comments

Post a Comment

Popular posts from this blog

Quick Guide to VCF Automation for VCD Administrators

  Quick Guide to VCF Automation for VCD Administrators VMware Cloud Foundation 9 (VCF 9) has been  released  and with it comes brand new Cloud Management Platform –  VCF Automation (VCFA)  which supercedes both Aria Automation and VMware Cloud Director (VCD). This blog post is intended for those people that know VCD quite well and want to understand how is VCFA similar or different to help them quickly orient in the new direction. It should be emphasized that VCFA is a new solution and not just rebranding of an old one. However it reuses a lot of components from its predecessors. The provider part of VCFA called Tenenat Manager is based on VCD code and the UI and APIs will be familiar to VCD admins, while the tenant part inherist a lot from Aria Automation and especially for VCD end-users will look brand new. Deployment and Architecture VCFA is generaly deployed from VCF Operations Fleet Management (former Aria Suite LCM embeded in VCF Ops. Fleet Management...
Post a Comment
Read more
  Issue with Aria Automation Custom form Multi Value Picker and Data Grid https://knowledge.broadcom.com/external/article?articleNumber=345960 Products VMware Aria Suite Issue/Introduction Symptoms: Getting  error " Expected Type String but was Object ", w hen trying to use Complex Types in MultiValue Picker on the Aria for Automation Custom Form. Environment VMware vRealize Automation 8.x Cause This issue has been identified where the problem appears when a single column Multi Value Picker or Data Grid is used. Resolution This is a known issue. There is a workaround.  Workaround: As a workaround, try adding one empty column in the Multivalue picker without filling the options. So we can add one more column without filling the value which will be hidden(there is a button in the designer page that will hide the column). This way the end user will receive the same view.  
Post a Comment
Read more
  "Cloud zone insights not available yet, please check after some time" message on Aria Automation https://knowledge.broadcom.com/external/article?articleNumber=314894 Products VMware Aria Suite Issue/Introduction Symptoms: The certificate for Aria operations has been replaced since it was initially added to Aria Automation as an integration. When accessing the Insights pane under  Cloud Assembly  ->  Infrastructure  ->  Cloud Zone  ->  Insights  the following message is displayed:   "Cloud zone insights not available yet, please check after some time." The  /var/log/services-logs/prelude/hcmp-service-app/file-logs/hcmp-service-app.log  file contains ssl errors similar to:   2022-08-25T20:06:43.989Z ERROR hcmp-service [host='hcmp-service-app-xxxxxxx-xxxx' thread='Thread-56' user='' org='<org_id>' trace='<trace_id>' parent='<parent_id>' span='<span_id>'] c.v.a.h.a.common.AlertEnu...
Post a Comment
Read more