work around for esxi 7 new root restricted permissions

[smhick]

I've managed to installed and configure ghettoVCB on my esxi 7 host but with the introduction of the new restrictions in esxi 7 The root account can no longer change permissions or executable files in ESXi 7.0.x https://kb.vmware.com/s/article/78689?lang=en_US

Has anyone workout a workaround for this as I can no longer edit even my vms_to_back file to add new VMs I want to backup. Right now my configuration is stuck as is and I'm no longer able to make changes to it as I can't edit the permissions of the files.

[root@esxi-02:~] chmod ug+x ghettoVCB-master/ghettoVCB*.sh
chmod: ghettoVCB-master/ghettoVCB-restore.sh: Operation not permitted
chmod: ghettoVCB-master/ghettoVCB.sh: Operation not permitted

[toffelwurst]

Actually this, too, is the major show stopper for me. The scripts sanity check doesn't have version 7.0.2 included and the restrictions in 7.x are preventing me from simply editing 7.0.2 into it, to work again.

[kubedzero]

I store my ghettoVCB files in a folder on one of the Datastores and just confirmed on 7.0.2 that the permissions and executability can still be updated and modified without issue. Rather than installing GVCB via the VIB, I just wget the files I want into that folder, mark them as executable, and then schedule them via Cron.

[root@esxi:~] GHETTOPATH="/vmfs/volumes/970PRO/ghettoVCB/testFile.sh"
[root@esxi:~] chmod -x $GHETTOPATH
[root@esxi:~] ls -lh $GHETTOPATH
-rw-r--r--    1 root     root       70.5K May 14 16:00 /vmfs/volumes/970PRO/ghettoVCB/testFile.sh
[root@esxi:~] chmod +x $GHETTOPATH
[root@esxi:~] ls -lh $GHETTOPATH
-rwxr-xr-x    1 root     root       70.5K May 14 16:00 /vmfs/volumes/970PRO/ghettoVCB/testFile.sh
[root@esxi:~]

[toffelwurst]

I store my ghettoVCB files in a folder on one of the Datastores and just confirmed on 7.0.2 that the permissions and executability can still be updated and modified without issue. Rather than installing GVCB via the VIB, I just wget the files I want into that folder, mark them as executable, and then schedule them via Cron.

I feel like a total moron after reading your solution by not figuring this out myself :D

[smcclosr]

Could another workaround be to create a user, and then use sudo to change the permissions? I would try it myself, but running 6.7 U3, and not planning on upgrading for at least a couple of months.

[crashtestoz]

I am running ghettoVB on ESXi 7.0.3 and I get this error when running my script from cron

Executing a file from datastore (non visorfs) is not allowed

My script permissions seem correct: -rwxr-xr-x 1 root root 75157 Mar 25 07:59 ghettoVCB.sh

The script is located on one of my datastores I can run the script from the cli and executes correctly

Any suggestions how to resolve this would be appreciated.

[sysadmin-info]

cronjob set in file /var/spool/cron/crontabs/root that is running every day at 1:30 am. Analyze it below to understand how I did it.

ESXi has an ugly behavior and restores the crontab and the template file ghettoVCB.conf to the default values during the reboot. To avoid it, I had to edit the /etc/rc.local.d/local.sh and modify it by adding below lines between #Note and exit 0. Then all you need to do is to reboot the ESXi server. Please remember to change IDs of your backup volume. I think you know what you have in your ghettoVCB.conf, so adapt the below to your needs according to the entries you have.

/bin/chmod 644 /opt/ghettovcb/ghettoVCB.conf /bin/echo > /opt/ghettovcb/ghettoVCB.conf /bin/echo "VM_BACKUP_VOLUME=/vmfs/volumes/61d2e9c0-76524a0c-c1b8-901b0ee82972/virtual-machines DISK_BACKUP_FORMAT=thin VM_BACKUP_ROTATION_COUNT=3 POWER_VM_DOWN_BEFORE_BACKUP=0 ENABLE_HARD_POWER_OFF=0 ITER_TO_WAIT_SHUTDOWN=3 POWER_DOWN_TIMEOUT=5 ENABLE_COMPRESSION=0 VM_SNAPSHOT_MEMORY=0 VM_SNAPSHOT_QUIESCE=0 VMDK_FILES_TO_BACKUP="all" ALLOW_VMS_WITH_SNAPSHOTS_TO_BE_BACKEDUP=1 ENABLE_NON_PERSISTENT_NFS=0 UNMOUNT_NFS=0 SNAPSHOT_TIMEOUT=15 EMAIL_ALERT=0 EMAIL_LOG=0 WORKDIR_DEBUG=0" > /opt/ghettovcb/ghettoVCB.conf /bin/chmod 444 /opt/ghettovcb/ghettoVCB.conf /bin/chmod +t /opt/ghettovcb/ghettoVCB.conf /bin/kill $(cat /var/run/crond.pid) /bin/chmod 644 /var/spool/cron/crontabs/root /bin/echo "30 1 * /opt/ghettovcb/bin/ghettoVCB.sh -g /opt/ghettovcb/ghettoVCB.conf -a > /vmfs/volumes/61d2e9c0-76524a0c-c1b8-901b0ee82972/virtual-machines/logs/ghettoVCB-backup-$(date +\%s).log" >> /var/spool/cron/crontabs/root /bin/chmod 444 /var/spool/cron/crontabs/root /bin/chmod +t /var/spool/cron/crontabs/root /usr/lib/vmware/busybox/bin/busybox crond

Eventually you can store the ghettoVCB.conf in different volume. See the example:

/bin/chmod 644 /vmfs/volumes/61d2e9c0-76524a0c-c1b8-901b0ee82972/vib/ghettoVCB.conf /bin/echo > /opt/ghettovcb/ghettoVCB.conf /bin/echo "VM_BACKUP_VOLUME=/vmfs/volumes/61d2e9c0-76524a0c-c1b8-901b0ee82972/virtual-machines DISK_BACKUP_FORMAT=thin VM_BACKUP_ROTATION_COUNT=3 POWER_VM_DOWN_BEFORE_BACKUP=0 ENABLE_HARD_POWER_OFF=0 ITER_TO_WAIT_SHUTDOWN=3 POWER_DOWN_TIMEOUT=5 ENABLE_COMPRESSION=0 VM_SNAPSHOT_MEMORY=0 VM_SNAPSHOT_QUIESCE=0 VMDK_FILES_TO_BACKUP="all" ALLOW_VMS_WITH_SNAPSHOTS_TO_BE_BACKEDUP=1 ENABLE_NON_PERSISTENT_NFS=0 UNMOUNT_NFS=0 SNAPSHOT_TIMEOUT=15 EMAIL_ALERT=0 EMAIL_LOG=0 WORKDIR_DEBUG=0" > /vmfs/volumes/61d2e9c0-76524a0c-c1b8-901b0ee82972/vib/ghettoVCB.conf /bin/chmod 444 /vmfs/volumes/61d2e9c0-76524a0c-c1b8-901b0ee82972/vib/ghettoVCB.conf /bin/chmod +t /vmfs/volumes/61d2e9c0-76524a0c-c1b8-901b0ee82972/vib/ghettoVCB.conf /bin/kill $(cat /var/run/crond.pid) /bin/chmod 644 /var/spool/cron/crontabs/root /bin/echo "30 1 * /opt/ghettovcb/bin/ghettoVCB.sh -g /vmfs/volumes/61d2e9c0-76524a0c-c1b8-901b0ee82972/vib/ghettoVCB.conf -a > /vmfs/volumes/61d2e9c0-76524a0c-c1b8-901b0ee82972/virtual-machines/logs/ghettoVCB-backup-$(date +\%s).log" >> /var/spool/cron/crontabs/root /bin/chmod 444 /var/spool/cron/crontabs/root /bin/chmod +t /var/spool/cron/crontabs/root /usr/lib/vmware/busybox/bin/busybox crond