Skip to first unread message
Ashish Shrestha
Mar 24, 2015, 11:51:39 AM3/24/15
to bosh-...@cloudfoundry.org
Hi, All.
I am trying to deploy micro bosh on vSphere. The stem cell is uploaded (vsphere-esxi-ubuntu-trusty-go_agent 2881) and created successfully, however, when trying to create a VM usin gthe stem cell it fails with a permission error.
The user used to interact with vSphere has been given all priviledge to the folders, datastore and cluster. What permission is missing?
I have attached the log, manifest and bosh gem version and status in the attached log.tar.gz
Can you please help identify what permission I am missing or what I am doing wrong? Is there any additional information I need to provide?
My aim is to deploy CloudFoundry on vSphere and I am following the instructions at http://docs.cloudfoundry.org/deploying/vsphere/
I am doing the first step of deploy micro bosh.
Thank you,
Ashish
I am trying to deploy micro bosh on vSphere. The stem cell is uploaded (vsphere-esxi-ubuntu-trusty-go_agent 2881) and created successfully, however, when trying to create a VM usin gthe stem cell it fails with a permission error.
The user used to interact with vSphere has been given all priviledge to the folders, datastore and cluster. What permission is missing?
I have attached the log, manifest and bosh gem version and status in the attached log.tar.gz
Can you please help identify what permission I am missing or what I am doing wrong? Is there any additional information I need to provide?
My aim is to deploy CloudFoundry on vSphere and I am following the instructions at http://docs.cloudfoundry.org/deploying/vsphere/
I am doing the first step of deploy micro bosh.
Thank you,
Ashish
Ashish Shrestha
Mar 24, 2015, 12:07:37 PM3/24/15
to bosh-...@cloudfoundry.org
Sorry, forgot to mention. The log shows error saying can't upload file while loading env.json. I used the vSphere client and was able to upload a file to datastore successfully. That is why not sure what permission I am missing.
Regards,
Ashish
Regards,
Ashish
Dmitriy Kalinin
Mar 24, 2015, 4:40:08 PM3/24/15
to bosh-...@cloudfoundry.org
Here is a list of known needed permissions:
'Folder.Create',
'Folder.Delete',
'Folder.Rename',
'Folder.Move',
'Datastore.AllocateSpace',
'Datastore.Browse',
'Datastore.DeleteFile',
'Datastore.UpdateVirtualMachineFiles',
'Datastore.FileManagement',
'Network.Assign',
'VirtualMachine.Inventory.Create',
'VirtualMachine.Inventory.CreateFromExisting',
'VirtualMachine.Inventory.Register',
'VirtualMachine.Inventory.Delete',
'VirtualMachine.Inventory.Unregister',
'VirtualMachine.Inventory.Move',
'VirtualMachine.Interact.PowerOn',
'VirtualMachine.Interact.PowerOff',
'VirtualMachine.Interact.Suspend',
'VirtualMachine.Interact.Reset',
'VirtualMachine.Interact.AnswerQuestion',
'VirtualMachine.Interact.ConsoleInteract',
'VirtualMachine.Interact.DeviceConnection',
'VirtualMachine.Interact.SetCDMedia',
'VirtualMachine.Interact.ToolsInstall',
'VirtualMachine.Interact.GuestControl',
'VirtualMachine.Interact.DefragmentAllDisks',
'VirtualMachine.GuestOperations.Query',
'VirtualMachine.GuestOperations.Modify',
'VirtualMachine.GuestOperations.Execute',
'VirtualMachine.Config.Rename',
'VirtualMachine.Config.Annotation',
'VirtualMachine.Config.AddExistingDisk',
'VirtualMachine.Config.AddNewDisk',
'VirtualMachine.Config.RemoveDisk',
'VirtualMachine.Config.RawDevice',
'VirtualMachine.Config.CPUCount',
'VirtualMachine.Config.Memory',
'VirtualMachine.Config.AddRemoveDevice',
'VirtualMachine.Config.EditDevice',
'VirtualMachine.Config.Settings',
'VirtualMachine.Config.Resource',
'VirtualMachine.Config.ResetGuestInfo',
'VirtualMachine.Config.AdvancedConfig',
'VirtualMachine.Config.DiskLease',
'VirtualMachine.Config.SwapPlacement',
'VirtualMachine.Config.DiskExtend',
'VirtualMachine.Config.ChangeTracking',
'VirtualMachine.Config.Unlock',
'VirtualMachine.Config.ReloadFromPath',
'VirtualMachine.Config.MksControl',
'VirtualMachine.Config.ManagedBy',
'VirtualMachine.State.CreateSnapshot',
'VirtualMachine.State.RevertToSnapshot',
'VirtualMachine.State.RemoveSnapshot',
'VirtualMachine.State.RenameSnapshot',
'VirtualMachine.Provisioning.Customize',
'VirtualMachine.Provisioning.Clone',
'VirtualMachine.Provisioning.PromoteDisks',
'VirtualMachine.Provisioning.DeployTemplate',
'VirtualMachine.Provisioning.CloneTemplate',
'VirtualMachine.Provisioning.MarkAsTemplate',
'VirtualMachine.Provisioning.MarkAsVM',
'VirtualMachine.Provisioning.ReadCustSpecs',
'VirtualMachine.Provisioning.ModifyCustSpecs',
'VirtualMachine.Provisioning.DiskRandomAccess',
'VirtualMachine.Provisioning.DiskRandomRead',
'VirtualMachine.Provisioning.GetVmFiles',
'VirtualMachine.Provisioning.PutVmFiles',
'Resource.AssignVMToPool',
'VApp.Import',
Though we have recently changed vsphere CPI that might now require vcenter server permission.
Ashish Shrestha
Mar 25, 2015, 5:38:20 AM3/25/15
to bosh-...@cloudfoundry.org
The user used to deploy microbosh is in a role with has "all" privileges given as explained in the vSphere hierarchy as explained below.
vcenter server (role has no privilege at this level)
-- data center (role have read only privileges at this level)
-- cf-vms (role given all privileges at this level)
-- cf-stemcells (role given all privilege at this level)
-- Cloud --> (folder; role given all privilege at this level)
-- vsanDatastore (role inherits all privilege at this level)
-- cf-disks (role inherits all privilege at this level)
-- Cloud (cluster; role given all privilege at this level)
-- VM Cloud (network; role given all privilege at this level)
Do I need to allow the user to have those permissions/privileges at higher levels like the whole data center?
Ashish
vcenter server (role has no privilege at this level)
-- data center (role have read only privileges at this level)
-- cf-vms (role given all privileges at this level)
-- cf-stemcells (role given all privilege at this level)
-- Cloud --> (folder; role given all privilege at this level)
-- vsanDatastore (role inherits all privilege at this level)
-- cf-disks (role inherits all privilege at this level)
-- Cloud (cluster; role given all privilege at this level)
-- VM Cloud (network; role given all privilege at this level)
Do I need to allow the user to have those permissions/privileges at higher levels like the whole data center?
Ashish
Maria Shaldibina
Mar 26, 2015, 12:39:22 PM3/26/15
to bosh-...@cloudfoundry.org
Hi Ashish,
You need to have 'System.View' permission on vcenter server. That stemcell introduced new API call to virtualdiskmanager and requires that permission.
best,
Maria
To unsubscribe from this group and stop receiving emails from it, send an email to bosh-users+...@cloudfoundry.org.
Ashish Shrestha
Mar 31, 2015, 2:02:51 PM3/31/15
to bosh-...@cloudfoundry.org
Thank you for the information.
Also realized that the permissions have to be at Data Center level. Previously, I had applied the permission on folders, datastore and network.
Ashish
Also realized that the permissions have to be at Data Center level. Previously, I had applied the permission on folders, datastore and network.
Ashish
Reply all
Reply to author
Forward
0 new messages