VxRail: Changing host permissions to allow Health Check tools to run from the Mystic User

Summary: Running VxVerify health checks on VxRail versions since 7.0.010 requires VxRM root permissions to run all tests.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Security hardening changes from VxRail 7.0.010 onwards changed ownership and permissions on some VxRail tools binaries and commands to restrict their use by the mystic user.
If customers do not want to share VxRM root passwords with Dell Support, they can modify /etc/sudoers on VxRM to allow VxVerify to start from mystic.

Before starting, customers should make copies of the /etc/sudoers file to revert to afterward.

Two changes are required in the /etc/sudoers file:

  1. Comment out the two lines to avoid prompting for the root password:

    ## In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system. When configuring sudo, delete the two
## following lines:
# Defaults targetpw # ask for the password of the target user i.e. root
# ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

  2. Add the mystic line here to allow only VxVerify to be run from mystic:

    ##
## User privilege specification
##
root ALL=(ALL) ALL
mystic ALL=NOPASSWD: /usr/bin/python /tmp/vxverify_3-*.pyc

Customers can use the * wildcard character to make the command not specific to one version.

For example:

mystic ALL=NOPASSWD: /usr/bin/python /tmp/vxverify_3-10-*.pyc

The above changes mean that the specific command, for the specific version mentioned in this /etc/sudoers file line, can be run from mystic. If other parameters or options are used, the command is blocked.

Once the /etc/sudoer file is updated, the command can be run from the VxRM mystic account, and no service restarts are required.

Similarly, once the changes in /etc/sudoer are reverted, the change takes effect immediately and no service restart is required.

Alternatively, customers can run VxVerify themselves (with the options recommended by Dell Support) and then provide the vxv*.zip log bundle for review.

To run VxVerify from the mystic account:

mystic@hostname:/tmp> sudo python /tmp/vxverify_3-10-826.pyc
Running VxVerify 3.10.826, pre-upgrade healthcheck on VxRail 7.0.131.
In case of program errors consult article https://www.dell.com/support/kbdoc/000066460.
Step 1 of 10: VxVerify: Sending Minions to each host. The Minions then run ESXi and VM tests. ...

 

Additional Information

For more information about VxVerify, see: VxRail: How to run the VxRail Verify tool

 

Affected Products

VxRail Software

Products

VxRail, VxRail Appliance Family, VxRail Appliance Series
Article Properties
Article Number: 000191504
Article Type: How To
Last Modified: 08 Jul 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.