Dangerous default on ESX 4

By On 9 November 2009 · 10 Comments

My colleague (thanks Kevin), just alerted me to a default setting on ESX 4, which I think is potentially dangerous these days.  If you hit Ctrl-Alt-Del on an ESX 4 console, it will reboot the server even if there are running VMs and it doesn’t care if the server is not in Maintenance Mode.

This is an old throwback which most modern Linux distribution disable these days.  To disable this yourself, open up /etc/inittab in your favourite editor and comment out the “ca::ctrlaltdel:/sbin/shutdown -t3 -r now” line with a # symbol so it looks like this:

# Trap CTRL-ALT-DELETE
# ca::ctrlaltdel:/sbin/shutdown -t3 -r now

Save and exit the file.  For this to take effect without a reboot, then run:

init q

This certainly disabled by default on ESX 3.5 hosts, so I assume that this was an oversight on VMware’s part on the new release.  I have checked the latest patches and there is no mention of this.

UPDATE:

Frank Wegner from VMware has raised this as a bug report with VMware engineering.

UPDATE 2 (4 March 2010):

VMware have just released a patch for ESX 4 hosts to rectify this: http://kb.vmware.com/kb/1017459

 

10 Responses to Dangerous default on ESX 4

  1. uberVU - social comments says:
    9 November 2009 at 1:00 pm

    Social comments and analytics for this post…

    This post was mentioned on Twitter by PlanetV12n: Dangerous default on ESX 4 (vReference) http://bit.ly/3s7ZBF...

    Reply
  2. Mike Horwath says:
    9 November 2009 at 1:03 pm

    haha

    Sorry, this is quite funny, and a little sad!

    Reply
  3. za_mkh says:
    10 November 2009 at 4:45 am

    I experienced this on ESX 3.5 U4 servers too! Thanks for pointing out how to disable it … now doing this on our servers!

    Reply
  4. Jim Ramsey says:
    10 November 2009 at 10:00 am

    This is actually a good practice in any shop with both Windows and Linux hosts. Windows IT people will press to login to a system. With screens blank and/or KVMs in use to save space, you may not be talking to the host you think you are talking to.

    Reply
  5. Erik Scholten says:
    3 December 2009 at 9:53 am

    I tried to find the values mentioned in the /etc/inittab but they’re not there. Is it correct that this does not apply to ESXi 4?

    Reply
    • Forbes Guthrie says:
      3 December 2009 at 10:22 am

      Yes you’re right, this only applies to ESX hosts not ESXi. Its a “feature” of the Service Console. The “unsupported” busybox implementation on ESXi is just a collection of unix tools.

      Reply
  6. michael says:
    8 March 2010 at 7:37 am

    4 months took vmware to release “critical” patch!

    Reply
  7. Virtual Agent Services says:
    25 August 2010 at 7:14 am

    I was not aware of it. Thanks for posting.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>