As more and more Nutanix is deployed out there, it’s useful to have some basic information about managing and maintaining it readily available. Today, I want to talk about Nutanix password management to ensure to help people know what important user accounts and passwords there are, and how to change those passwords. This is important because you generally do not want default passwords set within your environment. Changing default account passwords is the same best practice you’ll find for any other technology.
Nutanix Password Management – Introduction
Within a Nutanix environment, there are several types of accounts to be aware of. These accounts are:
- Nutanix Cluster Accounts – This is the account used to login to Prism, as well as command line utilities such as ncli and PowerShell to manage cluster wide settings, such as container management, cluster health, alerts, etc. for Nutanix Acropolis. Think storage management and heath mainly here.
- Nutanix Controller VM – this is a local account within each Nutanix Controller virtual machine running on each hypervisor host. This account is mainly used for troubleshooting and low level command line type actions. Generally speaking, you will likely not use this without the direction of an advanced Nutanix resource or Nutanix support.
- Nutanix node IPMI – These are accounts stored within the IPMI out of band management interfaces on each Nutanix node. This account is used for imaging your Nutanix nodes with your hypervisor of choice, and for things like remote console access, power cycling the hypervisor host if you’re having problems, etc.
- Hypervisor accounts – these are the local administrator accounts within your hypervisor of choice. Think root for vmware, local Administrator for Hyper-V.
It’s important to secure these accounts properly. That includes changing them regularly, using complex passwords, etc.
Nutanix Password Management – Default Accounts
The following are the default accounts and their passwords for each. This can be helpful for deployments, but also to verify if your Nutanix environment is using the default passwords.
- Nutanix Cluster Account:
- User: Admin (Note the capital “A”!)
- Password: nutanix/4u
- Nutanix Controller VM:
- User: nutanix
- Password: nutanix/4u
- Nutanix node IPMI:
- Nutanix hardware
- User: ADMIN (Note the capital “A”!)
- Password: ADMIN
- Dell hardware
- User: root
- Password: calvin
- Nutanix hardware
- Hypervisor accounts:
- ESXi:
- User: root
- Password: nutanix/4u
- Acropolis Hypervisor (Nutanix’s version of KVM):
- User: root
- Password: nutanix/4u
- ESXi:
Nutanix Password Management – Changing Nutanix Cluster Account Password
This one is pretty straightforward. Simply login to prism as Admin and click to change the password under Settings (Gear symbol) > Change Password.
Nutanix Password Management – Changing Nutanix Controller VM Password
This one is a little more complex. Here are the steps if you’re using ESXi:
- First, SSH into ESXi host.
- Next, SSH into controller from the ESXi server with the following command: ssh nutanix@192.168.5.254
- After that, run the following command: allssh passwd
- Lastly, enter in current and new passwords as it cycles through each controller VM in the cluster.
Here’s a sample output:
[root@NTNX-16SM6B123456-A:~] ssh nutanix@192.168.5.254
Nutanix Controller VM
nutanix@192.168.5.254’s password:
Last login: Thu Nov 3 11:10:47 PDT 2016 from 192.168.10.41 on ssh
Last login: Thu Nov 3 11:11:02 2016 from 192.168.5.1
nutanix@NTNX-16SM6B123456-A-CVM:192.168.10.41:~$ allssh passwd
Executing passwd on the cluster
================== 192.168.10.41 =================
Changing password for user nutanix.
Changing password for nutanix.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to 192.168.10.41 closed.
================== 192.168.10.42 =================
Changing password for user nutanix.
Changing password for nutanix.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to 192.168.10.42 closed.
(This continues through the entire cluster)
Most of all, be sure it shows a successful operation for each node.
Nutanix Password Management – Changing Nutanix Node IPMI Account Password
This can be accomplished two ways. To change the ADMIN account within the GUI:
- First, login to the IPMI interface using a web browser.
- Next, click Configuration > Users.
- Now, click the ADMIN account user, click Modify User, and follow the rest of the prompts.
You can also change the password via SSH on your ESXi servers. This is particularly useful when you do not know your IPMI account credentials.
- First, SSH into your ESXi server.
- Next, find the user ID of the account by running /ipmitool user list
- Finally, use the following command to change the password: /ipmitool user set password <userid> <CoolNewPassword>
Also, you can do this with other hypervisors as well.
Nutanix Password Management – Changing Nutanix Node Hypervisor Account Password
To change the default account password for your hypervisor, you simply conduct this with your password change method of choice for that hypervisor.
For ESXi, you can use passwd, the vSphere Thick Client, or even PowerCLI. Here’s a PowerCLI script I made to change the root password on ESXi servers.
$username = 'root'
$newpassword = 'N3wP@ssw0rd'
$oldpassword = 'nutanix/4u'
$vmhosts = 31..34 | ForEach-Object {"192.168.10." + $_}
$vmhosts
foreach ($vmhost in $vmhosts){
connect-viserver $vmhost -User $username -Password $oldpassword
Set-VMHostAccount –UserAccount $username –Password $newpassword
disconnect-viserver -Confirm:$false
}
Nutanix Password Management – Best Practices
To keep things simple, it is recommended to use the same hypervisor password on each host. Also, while not required, it is recommended to set the controller VM and Prism passwords the same, again for simplicity. You don’t have to.
Hopefully, this allows you to more easily management passwords within your Nutanix environment!