Monthly Archives: June 2013

Onyx 101

It’s been a week now since I’ve been playing with Onyx.  I stand by my initial impressions that it’s a great little app.  If you’re into automation, and lets face it, who isn’t these days.  You should really give Onyx a looking into.  Now it’s not going to write any scripts for you.  But what it’s going to do is give you the core code of your actions in the vSphere Client.

I’ve had Onyx running in the background behind my vSphere Client for the past week.  What I found interesting, or depressing, was looking at the same code pop up in the background as I did the same repetitious tasks in the vSphere Client.  A lot of my repetitious actions could be condensed into a handful of lines of PowerCLI code.  All that was stopping me was a copy and paste from Onyx into a PowerCLI script.

As I start focusing more on PowerCLI I can myself referring to Onyx to help cut some of the guess work out of what commands I need to be running to achieve my objectives.  As i said, it’s not going to write a script for you, but it’s going to give you a  good head start.

Below are the steps to get started with Onyx.

Once you download the ZIP file uncompress it to a folder.  Locate Onyx.exe in the root of that folder and execute it.  No installation is required.

A small window will open. You can click on the blue cog and change the default settings (which are fine to initially start with) and then click on the orange asterisk in the top left corner.


This will open a connection window.  Type in the vCenter URL.  You can leave off the HTTPS if you wish and Onyx will insert it for you.

To simplify the process of connecting to the Onyx proxy with the vSphere Client click the checkbox to ‘Launch a client after connected‘.

Select VMware VI Client from the dropdown menu.  Then enter in your standard login credentials to vCenter and click Start.


The vSphere Client will start up and make a connection to the Onyx Service on your PC using the credentials you entered on the previous screen.  A warning will pop up stating that your connection is not encrypted and if you want to proceed.  Click Yes to continue.

It’s worth noting that the connection between Onyx and vCenter is still encrypted.  What’s not encrypted is your local proxied connection from the Sphere Client to Onyx.  For Onyx to see you actions from the vSphere Client it needs an unencrypted session.


If all successful up to this point your vSphere Client will connect to vCenter.  You’ll also see that the Onyx window will show a black screen and will say it’s connect to your vCenter on port 443 and running at your PC.


Now all we have to do is select our Output Mode, in this case, PowerCLI.  Then click the green play button on the top left.

As we perform actions in the vSphere Client they will be translated to code.  Below is the PowerCLI output from creating a new Resource Pool.


Below is the equivalent code but for VMware Orchestrator in JavaScript.


And that’s it.  You can copy and past code out by right click on the code.  You can also use the save button to save all the output to a file.

Reference Links

Project Onyx Fling

Project Onyx

In keeping with my recent VMware Flings interest, Onyx, has been another one of those Flings that’s caught my eye.  The name probably accounts for 50% of my interesting—Onyx—just sounds so cool.  It sounds like it stands for something important.  The geek I am I actually looked it up.  It’s Greek, meaning claw or fingernail.  eh, ok so not that cool now.

Onyx is an application that can generate output code based on your actions in the vSphere C# client.  It can generate four different types of output --Raw Soap Messages, C#, PowerShell, and vCO JavaScript.  It achieves this by setting itself up as a proxy between you and the vCenter Server.  So Onyx initiates a secure connection to the vCenter server and then you initiate a connection using the C# vSphere Client to Onyx.  From that point on everything becomes transparent to you.  You can continue to use the vSphere Client to manage vCenter as normal.  But now you have the ability to create scriptable code from your actions.

Onyx is designed to work only with the C# Client.  It does not work with the Web Client.  With the push to  the Web Client and no more C# clients in development.  This may mean that Onyx now has a finite lifespan to it.

In any case I plan on playing around with Onyx over the coming days.  To goal is to see if I can extract meaningful PowerCli and vCO output code to use.  As I spend more time with these products on a day to day basis I can see Onyx helping, or at least guiding me into the right direction, when stuck creating workflows and scripts.

Onyx can be found on the VMware Fling page.  There is also a VMTN community which has been created for Project Onyx.  Both of which can be found in the links below.


Reference Links

Project Onyx Fling
Project Onyx Community

ESXi Google Authenticator Fling -Install & Configure

I remember downloading the Google Authenticator app from the Google Play store the day it came out.  Since that time I never once even ran the app.  I just couldn’t be bothered setting it up with any websites, that was until now.

When I heard about a VMware Fling to bring Google Authenticator two-factor authentication to ESXi last week I wanted to try it out as fast as I could.  So today I played around with it and it works great!  So I noted down what I did and uploaded it all below.  There’s really only one requirement and that’s ESXi 5.0 or above.  True the instructions are on the Flings site but I thought I’d put them into my own words.

The first thing I did before I even started was make sure my host was using a good NTP time source and the time was correct.

Download the ESXi Google Authenticator zip file and extract the VIB file from it. (link below)

Upload the VIB to the ESX host.  I just used the vSphere Web Client and clicked on Storage under Inventories on the Home page.


I then located a Datastore that my host had access to. I created a folder called vib.  I then clicked the Upload a file to the Datastore icon.  Selected the VIB and clicked Open.  (I also tried using the zip file without extracting the VIB but couldn’t get it to work so give that a miss)


Next I installed the VIB on the host using the ESXCLI.  Normally I would use the Management Assistant for this but because I’m playing around with authentication I was on the console of the host.  Replace the path of where you uploaded the VIB.

esxcli software vib install -v /vmfs/volumes/datastore2/vib/esx_google-authenticator_1.0.0-0.vib -f

If successful you should receive output similar to below.


Next you need to execute the command ‘google-authenticator’


A short wizard will run with a series of questions on how you would like to setup the authenticator.  Each environment may influence how it is set-up.  Record down the secret key and also the URL for when the Mobile App is set-up later on.

The Two Factor authentication works with SSH and Shell access.  The config process currently is all manual.

First you have to edit /etc/ssh/sshd_config.  I used vi from the ESXCLI.  Went into Insert mode made the below change and write & quit.

ChallengeResponseAuthentication yes

Next you have to edit /etc/pam.d/sshd for ssh and/or /etc/pam.d/login for console with the first line.

auth required

Initially I tried to use vi but couldn’t save so I used sed as shown in the Fling instructions.

sed -i -e ‘3iauth required’ /etc/pam.d/sshd
sed -i -e ‘3iauth required’ /etc/pam.d/login

For the change to take effect immediately run ‘/etc/init.d/SSH restart’

The change is not persistent after a reboot so for this to happen the above two lines will need to be added to /etc/rc.local.d/

Finally you have to set up the Google Authenticator app.  I used the Android version which I originally downloaded the day after it was released and never used.  The Google Authenticator link below has links to iOS and Blackberry apps as well.  There’s two ways to add the ESXi host to the app.  You can manually add in the ESXi using the Secret Key provided above.  Or the easier approach I found was to use the URL that generated above and put that into a web browser.  That will load a QR code on the screen.  Using a QR reader on the phone scan it and it will automagically load Google Authenticator and add in the ESXi host.


Google Authenticator
ESXi Google Authenticator Fling
Android App

ESXi Google Authenticator Fling

I love that even as large as VMware is they can still have a little fun with their product and development names.  VMware Octopus was one of my favourites.  I think we were all disappointed when they changed the name to fall into the Horizon Suite.  Flings are another great name I love.

A few days back I saw a tweet from the Fling team of a new Fling.  The name caught my eye immediately –ESXi Google Authenticator.    It sounds like a pretty cool idea.  Two factor authentication to ESXi.  I haven’t tried it out yet but I’ll be looking to over the coming days.

The source link to the Fling is below.  Designed by a couple VMware engineers in the R&D team.  There doesn’t appear to be much to the installation and configuration process.  You will need a fast connection, though, to download the 26kb zip file 🙂

It’s supported on ESXi 5.0 and 5.1.  Single admin support on ESXi 5.0 and multiple admin support on ESXi 5.1.  You have 30-second TOTP codes and support for emergency scratch codes, which I presume are for emergencies 😉

Source Link

ESXi Google Authenticator Fling