Today I was setting up VMware vSphere Hypervisor (ESXi 5.0) on a new server. Since I'm on the Kool-aid, the first thing I do when setting up a server is getting some kind of Nagios monitoring going. For several years, on ESXi servers, I have been using op5's check_esx3 plugin. Today was the first time I had set up an ESXi 5.0 server though, and when I first ran it after creating my Nagios user in ESXi I got the following error:
Permission to perform this operation was denied
The weird thing was that when I would run the check as root, it would work fine. I figured it must be a permissions issue, but my Nagios user was already a member of the root group. On to the fun. So after a lot of Googling, syslog reading and whatnot I figured out what the issue was. The authentication for handling the VMware vSphere SDK for Perl (which is what allows the check_esx3 plugin to work) is done in a file called /etc/vmware/hostd/authorization.xml. It looks like this:
<ConfigRoot>
<ACEData id="10">
<ACEDataEntity>ha-folder-root</ACEDataEntity>
<ACEDataId>10</ACEDataId>
<ACEDataIsGroup>false</ACEDataIsGroup>
<ACEDataPropagate>true</ACEDataPropagate>
<ACEDataRoleId>-1</ACEDataRoleId>
<ACEDataUser>root</ACEDataUser>
</ACEData>
<NextAceId>11</NextAceId>
</ConfigRoot>
The quick among you may have noticed that when it authenticates, it expects root to be a user, and not a group. Well, we want it to authenticate with the root group, so we can use non-root users. You'll need to enable either SSH or console access to edit it. Just use:
vi /etc/vmware/hostd/authorization.xml
Change this line:
<ACEDataIsGroup>false</ACEDataIsGroup>
to this:
<ACEDataIsGroup>true</ACEDataIsGroup>
and save. From the DCUI (Direct Console User Interface), you know, the regular yellow and grey interface on the ESXi server, just restart the Management Agents (Troubleshooting Options -> Restart Management Agents). I think you can also restart the management agents with these two commands, but it isn't "supported", so don't say I didn't warn you.
/sbin/services.sh restart
/etc/init.d/sfcbd-watchdog restart
As always, if you found this helpful, drop me a comment. They make me feel all fuzzy.
Great, great, great! thank you very much for sharing this valuable information. It have been very useful for us after searching for hours :-D
ReplyDeleteTwo year old post, still perfectly valid! Thank you so much for sharing this!
ReplyDelete