ESXCLI Overview

This section gives an overview of ESXCLI commands and how to use them. See Getting Started with vSphere Command-Line Interfaces for details.

ESXCLI Commands Available on Different ESXi Hosts

When you run an ESXCLI vCLI command, you must know the commands supported on the target host. For example, if you run commands against ESXi 5.x hosts, ESXCLI 5.x commands are supported. If you run commands against ESXi 6.0 hosts, ESXCLI 6.0 commands are supported.

Some commands or command outputs are determined by the host type. In addition, VMware partners might develop custom ESXCLI commands that you can run on hosts where the partner VIB has been installed.

Run esxcli --server <target> --help for a list of namespaces supported on the target. You can drill down into the namespaces for additional help.

Important ESXCLI on ESX 4.x hosts does not support targeting a vCenter Server system. You can therefore not run ESXCLI commands with --server pointing to a vCenter Server system even if you install vCLI 5.0.

Trust Relationship Requirement for ESXCLI Commands

Starting with vSphere 6.0, ESXCLI checks whether a trust relationship exists between the machine where you run the ESXCLI command and the ESXi host. An error results if the trust relationship does not exist.

To establish the trust relationship, you have these options.

Downloading and Installing the vCenter Server Certificate

You can download the vCenter Server root certificate using a Web browser and add it to the trusted certificates on the machine where you plan on running ESXCLI commands.

To download the certificate

1	Type the URL of the vCenter Server system or vCenter Server Virtual Appliance into a Web Browser.

2	Click the Download trusted root certificates link.

3	Change the extension of the downloaded file to .zip. (The file is a ZIP file of all certificates in the TRUSTED_ROOTS store).

4	Extract the ZIP file.

The result is a certs folder. The folder includes files with the extension .0. .1, and so on, which are certificates, and files with the extension .r0, r1, and so on which are CRL files associated with the certificates.

5	Add the trusted root certificates to the list of trusted roots. The process differs depending on the platform you are on.

You can now run ESXCLI commands against any host that is managed by the trusted vCenter Server without supplying additional information if you specify the vCenter Server in the --server option and the ESXi host in the --vihost option.

Using the --cacertsfile Option

Using a certificate to establish the trust relationship is the most secure option. You can specify the certificate with the --cacertsfile parameter or the VI_CACERTFILE variable.

Using the --thumbprint Option

You can supply the thumbprint for the target server (ESXi host or vCenter Server system) in the --thumbprint parameter (VI_THUMBPRINT variable).

When you run a command, ESXCLI checks first whether a certificate file is available. If not, ESXCLI checks whether a thumbprint of the target server is available. If not, an error like the following results:

Connect to sof-40583-srv failed. Server SHA-1 thumbprint: 5D:01:06:63:55:9D:DF:FE:38:81:6E:2C:FA:71:BC:Usin63:82:C5:16:51 (not trusted).

You can run the command with the thumbprint to establish the trust relationship, or add the thumbprint to the VI_THUMBPRINT variable. For example, using the thumbprint of the ESXi host above, you can run the following command:

esxcli --server myESXi --username user1 --password 'my_password' --thumbprint 5D:01:06:63:55:9D:DF:FE:38:81:6E:2C:FA:71:BC:63:82:C5:16:51 storage nfs list

Using the Credential Store

Your vCLI installation includes a credential store. You can manage the credential store with the credstore-admin utility application, which is located in the /Perl/apps/general directory inside the VMware vSphere CLI directory.

Important Updating the credential store is a two-step process. First you add the user and password for the server, and then you add the thumbprint for the server.

To establish trust for a user with the credential store

1	Add the user and password for the target ESXi host to the local credential store.

credstore_admin.pl add --server <esxi_HOSTNAME_OR_IP> --username <user> --password <pwd>

2	Add the thumbprint for the target ESXi host. This thumbprint was returned in the error when you attempted to connect to the host.

credstore_admin.pl add --server <esxi_HOSTNAME_OR_IP> --thumbprint <thumbprint>

3	If you are using a non-default credential store file, you have to pass it in with the --credstore option. Otherwise, this user will be able to access the host without authentication going forward.

Using ESXCLI Output

Many ESXCLI commands generate output you might want to use in your application. You can run esxcli with the --formatter dispatcher option and send the resulting output as input to a parser.

The --formatter options supports three values, csv, xml, and keyvalue and is used before any namespace.

esxcli --formatter=csv storage filesystem list

Lists all file system information in CSV format.

You can pipe the output to a file.

esxcli --formatter=keyvalue storage filesystem list > myfilesystemlist.txt

Important Always use a formatter for consistent output.