Tuesday, December 6, 2011

check_esx3 error "Permission to perform this operation was denied"

Today I was setting up VMware vSphere Hypervisor (ESXi 5.0) on a new server. Since I'm on the Kool-aid, the first thing I do when setting up a server is getting some kind of Nagios monitoring going. For several years, on ESXi servers, I have been using op5's check_esx3 plugin. Today was the first time I had set up an ESXi 5.0 server though, and when I first ran it after creating my Nagios user in ESXi I got the following error:
Permission to perform this operation was denied

The weird thing was that when I would run the check as root, it would work fine. I figured it must be a permissions issue, but my Nagios user was already a member of the root group. On to the fun. So after a lot of Googling, syslog reading and whatnot I figured out what the issue was. The authentication for handling the VMware vSphere SDK for Perl (which is what allows the check_esx3 plugin to work) is done in a file called /etc/vmware/hostd/authorization.xml. It looks like this:
  <ACEData id="10">

The quick among you may have noticed that when it authenticates, it expects root to be a user, and not a group. Well, we want it to authenticate with the root group, so we can use non-root users. You'll need to enable either SSH or console access to edit it. Just use:
vi /etc/vmware/hostd/authorization.xml

Change this line:

to this:

and save. From the  DCUI (Direct Console User Interface), you know, the regular yellow and grey interface on the ESXi server, just restart the Management Agents (Troubleshooting Options -> Restart Management Agents). I think you can also restart the management agents with these two commands, but it isn't "supported", so don't say I didn't warn you.
/sbin/services.sh restart
/etc/init.d/sfcbd-watchdog restart

As always, if you found this helpful, drop me a comment. They make me feel all fuzzy.


  1. Great, great, great! thank you very much for sharing this valuable information. It have been very useful for us after searching for hours :-D

  2. Two year old post, still perfectly valid! Thank you so much for sharing this!