Improve ESXiPlugin support for recent version

[william-billaud]

Enhance ESXiOs plugin, especially for non disk collection.

• On ESXi7 and later : users are also stored in the configstore : Merge entries from Configstore and /etc/passwd when possible.
• On Esxi8 and later : hostname/ips are also stored in the configstore
• Add vm support sample from esxi 7 and 9 (in addition to already present 6 and 8), and a uac collection sample from the same ESXi9
• Properly symlink log folders (related to Add support for ESXI auth, hostd and shell logs. #1385) : Symlink to /var/run/log from log_dir (defaulting to /scratch/log) as this is what is observed on live esxi hosts. I Was not able to test with disk where a locker partition is present. (ESXi9 sample has an unsual log dir)
• Ensure compatibility with raw disk (already broken before this PR).
• Fix issue with a warning related to local.tgz.ve : Warning was issued even if decryption worked properly.

Other changes

• Change the configstore get plugins signature to ease key retrieval.

Note

• Maybe we could have a public plugins to yields all entries from configstore?
• Remove the symlink between /var/log and log_dir, as what is observed on ESXi host is a bit more complex that a simple folder symlink (Only some files are symlinked). Furthermore /var/log may already contains some file (depending on how ESXi is collected).
• I still have no idea where the /etc/passwd file is stored on disk....

Test on raw disk

hostname,os,domain,version,ips

❯ uv run --python 3.12 --refresh --extra dev --extra full target-query -f hostname,os,domain,version,ips --cmdb -d ";"   ~/Documents/VM/esxi_*
2026-01-21T14:14:30.343866Z [warning  ] Failed to detect <class 'dissect.target.volumes.bde.BitlockerVolumeSystem'> volume system [dissect.target.volume]
2026-01-21T14:14:30.344076Z [warning  ] Failed to detect <class 'dissect.target.volumes.bde.BitlockerVolumeSystem'> volume system [dissect.target.volume]
2026-01-21T14:14:30.344231Z [warning  ] Failed to detect <class 'dissect.target.volumes.bde.BitlockerVolumeSystem'> volume system [dissect.target.volume]
2026-01-21T14:14:30.344377Z [warning  ] Failed to detect <class 'dissect.target.volumes.bde.BitlockerVolumeSystem'> volume system [dissect.target.volume]
2026-01-21T14:14:30.509153Z [warning  ] Failed to detect fat filesystem [dissect.target.filesystem]
2026-01-21T14:14:30.509428Z [warning  ] Failed to detect fat filesystem [dissect.target.filesystem]
2026-01-21T14:14:30.509606Z [warning  ] Failed to detect fat filesystem [dissect.target.filesystem]
2026-01-21T14:14:30.509776Z [warning  ] Failed to detect fat filesystem [dissect.target.filesystem]
2026-01-21T14:14:30.928605Z [warning  ] <Target /home/username/Documents/VM/esxi_6>: No configstore found, unable to mount NFS shares [dissect.target.target]
/home/username/Documents/VM/esxi_6;localhost;esxi;;6.7.0-14320388;['192.168.122.133']
2026-01-21T14:14:31.309403Z [warning  ] <Target /home/username/Documents/VM/esxi_7>: local.tgz is encrypted but static decryption failed and no dynamic decryption available! [dissect.target.target]
2026-01-21T14:14:31.332288Z [warning  ] <Target /home/username/Documents/VM/esxi_7>: Failed to read log_dir from configstore, falling back to /scratch/log [dissect.target.target]
/home/username/Documents/VM/esxi_7;localhost;esxi;;7.0.3-0.50.20036589;['192.168.122.186']
2026-01-21T14:14:31.765350Z [warning  ] <Target /home/username/Documents/VM/esxi_8>: local.tgz is encrypted but static decryption failed and no dynamic decryption available! [dissect.target.target]
2026-01-21T14:14:31.772127Z [warning  ] <Target /home/username/Documents/VM/esxi_8>: No locker.conf! [dissect.target.target]
2026-01-21T14:14:31.796267Z [warning  ] <Target /home/username/Documents/VM/esxi_8>: Failed to read log_dir from configstore, falling back to /scratch/log [dissect.target.target]
/home/username/Documents/VM/esxi_8;localhost;esxi;;8.0.3-0.70.24677879;['192.168.122.169']
2026-01-21T14:14:32.368219Z [warning  ] <Target /home/username/Documents/VM/esxi_9>: local.tgz is encrypted but static decryption failed and no dynamic decryption available! [dissect.target.target]
2026-01-21T14:14:32.375326Z [warning  ] <Target /home/username/Documents/VM/esxi_9>: No locker.conf! [dissect.target.target]
/home/username/Documents/VM/esxi_9;testdissecthostname;esxi;;9.0.0-0.24678710;['192.168.122.43']

users (/etc/passwd is not found)

2026-01-21T14:16:01.285996Z [warning  ] Failed to detect <class 'dissect.target.volumes.bde.BitlockerVolumeSystem'> volume system [dissect.target.volume]
2026-01-21T14:16:01.286216Z [warning  ] Failed to detect <class 'dissect.target.volumes.bde.BitlockerVolumeSystem'> volume system [dissect.target.volume]
2026-01-21T14:16:01.286372Z [warning  ] Failed to detect <class 'dissect.target.volumes.bde.BitlockerVolumeSystem'> volume system [dissect.target.volume]
2026-01-21T14:16:01.286514Z [warning  ] Failed to detect <class 'dissect.target.volumes.bde.BitlockerVolumeSystem'> volume system [dissect.target.volume]
2026-01-21T14:16:01.444591Z [warning  ] Failed to detect fat filesystem [dissect.target.filesystem]
2026-01-21T14:16:01.444897Z [warning  ] Failed to detect fat filesystem [dissect.target.filesystem]
2026-01-21T14:16:01.445089Z [warning  ] Failed to detect fat filesystem [dissect.target.filesystem]
2026-01-21T14:16:01.445263Z [warning  ] Failed to detect fat filesystem [dissect.target.filesystem]
2026-01-21T14:16:01.863867Z [warning  ] <Target /home/username/Documents/VM/esxi_6>: No configstore found, unable to mount NFS shares [dissect.target.target]
2026-01-21T14:16:02.400611Z [warning  ] <Target /home/username/Documents/VM/esxi_7>: local.tgz is encrypted but static decryption failed and no dynamic decryption available! [dissect.target.target]
2026-01-21T14:16:02.425703Z [warning  ] <Target /home/username/Documents/VM/esxi_7>: Failed to read log_dir from configstore, falling back to /scratch/log [dissect.target.target]
<unix/esxi/user hostname='localhost' domain='' name='dissect' passwd='$6$Je3FDwGydixavc9.$bEmwd8pvoepPzyS1abtE9Kvf9PHzJHbw2Lv3J21EckE43NSfKCQOJhTgZw8I/zYJguO7oEWHl3HwAfWA6XtbI1' uid=1000 gid=None gecos='Test dissect' home=None shell=None source='/var/lib/vmware/configstore/backup/current-store-1' modified_time=2026-01-20 09:24:23+00:00 creation_time=2026-01-20 09:24:23+00:00 shell_access=True>
<unix/esxi/user hostname='localhost' domain='' name='vpxuser' passwd=None uid=500 gid=None gecos='VMware VirtualCenter administration account' home=None shell=None source='/var/lib/vmware/configstore/backup/current-store-1' modified_time=2026-01-20 09:24:23+00:00 creation_time=2026-01-20 09:24:23+00:00 shell_access=True>
<unix/esxi/user hostname='localhost' domain='' name='root' passwd='$6$cRPwJbRs$WTktOkl8mNvXGUCNgsVCrOf6WCFiPhEAyDLRhOn8KUoi99Go6DRQuIj9OSC/aPnFONVuHufnQXZJrZyMHmKL50' uid=0 gid=None gecos='Administrator' home=None shell=None source='/var/lib/vmware/configstore/backup/current-store-1' modified_time=2026-01-20 09:24:23+00:00 creation_time=2026-01-20 09:24:23+00:00 shell_access=True>
<unix/esxi/user hostname='localhost' domain='' name='dcui' passwd=None uid=100 gid=None gecos='DCUI User' home=None shell=None source='/var/lib/vmware/configstore/backup/current-store-1' modified_time=2026-01-20 09:24:23+00:00 creation_time=2026-01-20 09:24:23+00:00 shell_access=True>
2026-01-21T14:16:02.857844Z [warning  ] <Target /home/username/Documents/VM/esxi_8>: local.tgz is encrypted but static decryption failed and no dynamic decryption available! [dissect.target.target]
2026-01-21T14:16:02.864584Z [warning  ] <Target /home/username/Documents/VM/esxi_8>: No locker.conf! [dissect.target.target]
2026-01-21T14:16:02.886877Z [warning  ] <Target /home/username/Documents/VM/esxi_8>: Failed to read log_dir from configstore, falling back to /scratch/log [dissect.target.target]
<unix/esxi/user hostname='localhost' domain='' name='root' passwd='$6$f1JgHCt.$ZVhJNKYJG7c2T5V4MaRAMkcPvCl4CW2BVWMnCkcBnKN.RFPvHl3YfFlWOg4y1roV32Ohjp14k5W5BHKALhqvH0' uid=0 gid=None gecos='Administrator' home=None shell=None source='/var/lib/vmware/configstore/backup/current-store-1' modified_time=2025-10-28 08:36:37+00:00 creation_time=2025-10-28 08:36:37+00:00 shell_access=True>
2026-01-21T14:16:03.393996Z [warning  ] <Target /home/username/Documents/VM/esxi_9>: local.tgz is encrypted but static decryption failed and no dynamic decryption available! [dissect.target.target]
2026-01-21T14:16:03.401551Z [warning  ] <Target /home/username/Documents/VM/esxi_9>: No locker.conf! [dissect.target.target]
<unix/esxi/user hostname='testdissecthostname' domain='' name='root' passwd='$6$/iAvNeSq$bczTTF.faiOTDGFZPU3flrm4iPzNDYhP0BgPZ3tzVZFnyZ0WCd7PrSOOSJgpir/CPwNuzCbsBaiRbTN7vAPEg.' uid=0 gid=None gecos='Administrator' home=None shell=None source='/var/lib/vmware/configstore/backup/current-store-1' modified_time=2026-01-20 16:09:01+00:00 creation_time=2026-01-09 16:20:11+00:00 shell_access=True>
<unix/esxi/user hostname='testdissecthostname' domain='' name='dissect_user_no_shell' passwd='$6$Dx0j.EDo.n6gU/QQ$sLzq9aFddo5JVWkMZlZ8s5qtB9oegp0LrvF66DRB/x.HhM4E.SegT6TLeOy8.zjZ4F0w5Yd.4MybHFr7qPOsB.' uid=1001 gid=None gecos='Test user for dissect, without shell access' home=None shell=None source='/var/lib/vmware/configstore/backup/current-store-1' modified_time=2026-01-20 16:09:01+00:00 creation_time=2026-01-20 13:34:51+00:00 shell_access=False>
<unix/esxi/user hostname='testdissecthostname' domain='' name='dissect_user' passwd='$6$erZ/ikbeBDrekbwg$VeqrV7HqhLCtU.K2XA/FDSKWKf1DovFyrmlRgbhUs3ZwdsYi9m6K.pxYAD8XgK4WTymBTyOkSlj.QxwSRlLLj0' uid=1000 gid=None gecos='Test user for dissect data sample (with shell access)' home=None shell=None source='/var/lib/vmware/configstore/backup/current-store-1' modified_time=2026-01-20 16:09:01+00:00 creation_time=2026-01-20 13:34:11+00:00 shell_access=True>

• resolves ESXi: No users found #1093 (users account)
• Related to Ensure/research full support for ESXi 9 #1191

[Schamper]

Maybe just extract the information from the UnixUserRecord and put it in a new ESXiUserRecord so that we only have that as return type.

[william-billaud]

Will do, after further analysis, /etc/passwd is still present in ESXi7+, just not collected by vmsupport/available from raw disk (probably located in local.tgz.ve). Thus I will merge both entries if available.