Tuesday, December 6, 2011

check_esx3 error "Permission to perform this operation was denied"

Today I was setting up VMware vSphere Hypervisor (ESXi 5.0) on a new server. Since I'm on the Kool-aid, the first thing I do when setting up a server is getting some kind of Nagios monitoring going. For several years, on ESXi servers, I have been using op5's check_esx3 plugin. Today was the first time I had set up an ESXi 5.0 server though, and when I first ran it after creating my Nagios user in ESXi I got the following error:
Permission to perform this operation was denied

The weird thing was that when I would run the check as root, it would work fine. I figured it must be a permissions issue, but my Nagios user was already a member of the root group. On to the fun. So after a lot of Googling, syslog reading and whatnot I figured out what the issue was. The authentication for handling the VMware vSphere SDK for Perl (which is what allows the check_esx3 plugin to work) is done in a file called /etc/vmware/hostd/authorization.xml. It looks like this:
<ConfigRoot>
  <ACEData id="10">
    <ACEDataEntity>ha-folder-root</ACEDataEntity>
    <ACEDataId>10</ACEDataId>
    <ACEDataIsGroup>false</ACEDataIsGroup>
    <ACEDataPropagate>true</ACEDataPropagate>
    <ACEDataRoleId>-1</ACEDataRoleId>
    <ACEDataUser>root</ACEDataUser>
  </ACEData>
  <NextAceId>11</NextAceId>
</ConfigRoot>

The quick among you may have noticed that when it authenticates, it expects root to be a user, and not a group. Well, we want it to authenticate with the root group, so we can use non-root users. You'll need to enable either SSH or console access to edit it. Just use:
vi /etc/vmware/hostd/authorization.xml

Change this line:
<ACEDataIsGroup>false</ACEDataIsGroup>

to this:
<ACEDataIsGroup>true</ACEDataIsGroup>

and save. From the  DCUI (Direct Console User Interface), you know, the regular yellow and grey interface on the ESXi server, just restart the Management Agents (Troubleshooting Options -> Restart Management Agents). I think you can also restart the management agents with these two commands, but it isn't "supported", so don't say I didn't warn you.
/sbin/services.sh restart
/etc/init.d/sfcbd-watchdog restart

As always, if you found this helpful, drop me a comment. They make me feel all fuzzy.

3 comments:

  1. Great, great, great! thank you very much for sharing this valuable information. It have been very useful for us after searching for hours :-D

    ReplyDelete
  2. Two year old post, still perfectly valid! Thank you so much for sharing this!

    ReplyDelete
  3. This means that more CNC machines could be run more effectively and with fewer operators, lowering overhead costs and passing the savings onto the shoppers. The internet of things has manufacturing functions similar to remote monitoring, total machine shop optimization, and predictive maintenance. CNC machining is machine automated, which helps cut back labor costs RING CAMERA and manpower.

    ReplyDelete