I was doing a precheck before upgrading SDDC Manager v4.4.0.0-feb10 to v4.4.0.0-apr15 (drift bundle) and the precheck failed, as shown below in the screenshot
I found this strange, as the backups are running fine to my sftp-backup host. After a little digging, I found out that there is a local backup user on the SDDC Mangager itself, and that the password expired 9 month ago 🙄
root@00ab-vcf [ ~ ]# id backup
uid=1001(backup) gid=994(backup) groups=994(backup)
root@00ab-vcf [ ~ ]# chage -l backup
Last password change : Sep 09, 2020
Password expires : Sep 09, 2021
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 365
Number of days of warning before password expires : 7
I had upgraded the SDDC Manager from 4.3.1.0 to 4.4.0.0 after that time, so I’ve come to believe two things:
- This is a new precheck in v4.4.0.0
- The upgrade worked fine since I’m backing up to a external sftp server, and the backup never runs locally (which it does by default after installation/stand-up).
Whether or not the upgrade will fail I don’t know, as this precheck failure can be fixed by changing the expiration date for the backup user.
Let’s check the chage options and correct this problem:
root@00ab-vcf [ ~ ]# chage -h
Usage: chage [options] LOGIN
Options:
-d, --lastday LAST_DAY set date of last password change to LAST_DAY
-E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-h, --help display this help message and exit
-I, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-l, --list show account aging information
-m, --mindays MIN_DAYS set minimum number of days before password
change to MIN_DAYS
-M, --maxdays MAX_DAYS set maximum number of days before password
change to MAX_DAYS
-R, --root CHROOT_DIR directory to chroot into
-W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS‘-M‘ is our main option here. The value configures how many days until the password will expire. There is a special value here, “99999” which means never expire.
Since I’ve had systems complain about the value of “never” (Workplace ONE Access for instance), I’ve defaulted to “9999” in cases where I need/want a long expiration time. “9999” equals to 27 years+, so in most cases it’s “forever”/”never” expire as well.
I know it’s not a secure option, but I have so far not found a way to change this password and update the SDDC Manager database/configuration to know about the new password. I’ve checked the APIs and I only found the “normal” backup settings for SDDC, not this “hidden” backup user.
If you know, let me know in the comments.
Remember to take a snapshot of SDDC Manager before you alter the system. Also know, making manual changes is probably not supported by VMware (but I found no way to fix this with API).
With snapshot taken, I ran these two commands to extend the password expiration and check the change, and that fixed the problem:
root@00ab-vcf [ ~ ]# chage -I -1 -m 0 -M 9999 -E -1 backup
root@00ab-vcf [ ~ ]# chage -l backup
Last password change : Sep 09, 2020
Password expires : Jan 25, 2048
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 9999
Number of days of warning before password expires : 7The parameters, one by one, means:
-I -1 - Don't set password inactive
-m 0 - Minimum days before password can be changed
-M 9999 - Maximum days before password must be changed
-E -1 - Don't expire the accountGo back to SDDC Manager and rerun the specific test that failed; you don’t need to run the whole set of prechecks from scratch.
All good now:
VMnic 