I have been reading the VMware validated design documents of late. I cannot recommend them enough they are awesome documents. It’s really worth the deep read. I noticed one of the design choices is to enable lockdown mode on all esx hosts. This is common due to security needs but it additionally commented that host profiles don’t capture lockdown mode settings so you have to manually set it. I have used PowerCLI to turn on and off (during issues) lockdown mode for years and VMware posted a KB article that includes the PowerCLI code here.
I wanted to write a piece of orchestrator code that would lock down esx hosts on a daily basis if they are not in lockdown mode. Consider it a desired end state tool.
If you wanted to enable Normal lockdown mode on all ESXi hosts you would use the following code:
//Get all hosts
hosts = System.getModule(“com.vmware.library.vc.host”).getAllHostSystems();
for each (host in hosts)
{
// Compare lockdown modes
if (host.config.lockdownMode.value === “lockdownDisabled”)
{
host.enterLockdownMode();
System.log(host.name + ” is being locked down”);
}
else if (host.config.lockdownMode.value === “lockdownNormal”)
{
System.log(host.name + ” is already locked down”);
}
}
Now if you wanted to disable lockdown you would just run the following code:
//Get all hosts hosts = System.getModule("com.vmware.library.vc.host").getAllHostSystems(); for each (host in hosts) { // Compare lockdown modes if (host.config.lockdownMode.value === "lockdownDisabled") { System.log(host.name + " is already not in lock down mode"); } else if (host.config.lockdownMode.value === "lockdownNormal") { host.exitLockdownMode(); System.log(host.name + " is now not in lock down mode."); } }
You can enable / disable strict mode sing lockdownStrict as well. I hope it helps… now all you need to do is create a scheduled task and perhaps do it cluster by cluster.