Yesterday we had a “urgent” request to update all of the credentials on our Nutanix clusters. While my colleague worked on the clusters with VMware as a Hypervisor, I started with the cluster running AHV as a hypervisor. Although this is relatively small cluster (11 NX-3060 nodes), I loath to do a lot of manual work, so checked out the Nutanix Knowledge base and found there KB6153 on NCC Health Check: default_password_check and pc_default_password_check.
Users with a local account on the cluster were asked to change their password by logging on to the cluster, so they can keep their password private, but the built-in accounts for IPMI (ADMIN), AHV host (root) and the CVM (nutanix) have to be reset.
IPMI
Disclaimer
Only applicable on Nutanix nodes (Supermicro)
Maximum allowed length of IPMI password is 19 characters, except on ESXi host (max 15)
Do NOT use the following special characters in the IPMI password: &;`’\”|*?˜<>()[]{}$\n\r
Log on to a CVM in the cluster (using SSH) and first find the ID of the admin account in IPMI. To do this we run the following command:
hostssh "ipmitool user list"
After we got the ID of the ADMIN user, we can change the password by running the next command
hostssh "ipmitool user set password 2 <NEWPASSWORD>"
After you reset the password it is best practice to restart the BMC firmware, so the IPMI interface is restarted and all sessions are cleared.
hostssh "ipmitool mc reset cold"
By using the hostssh command the command will be triggered on ALL hosts in the cluster, so this saves already some time.
AHV
To change the password of the root password I used the script provided in the KB article which works great 🙂
echo -e "CHANGING ALL AHV HOST ROOT PASSWORDS. Note - This script cannot be used for passwords that contain special characters ( $ \ { } ^ &)\nPlease input new password: "; read -s password1; echo "Confirm new password: "; read -s password2; if [ "$password1" == "$password2" ] && [[ ! "$password1" =~ [\\\{\$\^\}\&] ]]; then hostssh "echo -e \"root:${password1}\" | chpasswd"; else echo "The passwords do not match or contain invalid characters (\ $ { } ^ &)"; fi
Prism Element
nutanix account
Now the Nutanix Controller VMs. Still logged on to the CVM, I run the following command:
sudo passwd nutanix
You will be prompted to enter a new password for the local nutanix user account and this will be synchronised on all the CVMs in the cluster. This command also works on the Prism Central VM (but you need to logon to that CVM)
admin account
The admin account is changed via the GUI. Logon to the Prism Elements (or Prism Central) page and click on the admin user in the right corner, and enter a new password.