Tuesday, December 6, 2011

check_esx3 error "Permission to perform this operation was denied"

Today I was setting up VMware vSphere Hypervisor (ESXi 5.0) on a new server. Since I'm on the Kool-aid, the first thing I do when setting up a server is getting some kind of Nagios monitoring going. For several years, on ESXi servers, I have been using op5's check_esx3 plugin. Today was the first time I had set up an ESXi 5.0 server though, and when I first ran it after creating my Nagios user in ESXi I got the following error:
Permission to perform this operation was denied

The weird thing was that when I would run the check as root, it would work fine. I figured it must be a permissions issue, but my Nagios user was already a member of the root group. On to the fun. So after a lot of Googling, syslog reading and whatnot I figured out what the issue was. The authentication for handling the VMware vSphere SDK for Perl (which is what allows the check_esx3 plugin to work) is done in a file called /etc/vmware/hostd/authorization.xml. It looks like this:
<ConfigRoot>
  <ACEData id="10">
    <ACEDataEntity>ha-folder-root</ACEDataEntity>
    <ACEDataId>10</ACEDataId>
    <ACEDataIsGroup>false</ACEDataIsGroup>
    <ACEDataPropagate>true</ACEDataPropagate>
    <ACEDataRoleId>-1</ACEDataRoleId>
    <ACEDataUser>root</ACEDataUser>
  </ACEData>
  <NextAceId>11</NextAceId>
</ConfigRoot>

The quick among you may have noticed that when it authenticates, it expects root to be a user, and not a group. Well, we want it to authenticate with the root group, so we can use non-root users. You'll need to enable either SSH or console access to edit it. Just use:
vi /etc/vmware/hostd/authorization.xml

Change this line:
<ACEDataIsGroup>false</ACEDataIsGroup>

to this:
<ACEDataIsGroup>true</ACEDataIsGroup>

and save. From the  DCUI (Direct Console User Interface), you know, the regular yellow and grey interface on the ESXi server, just restart the Management Agents (Troubleshooting Options -> Restart Management Agents). I think you can also restart the management agents with these two commands, but it isn't "supported", so don't say I didn't warn you.
/sbin/services.sh restart
/etc/init.d/sfcbd-watchdog restart

As always, if you found this helpful, drop me a comment. They make me feel all fuzzy.
Posted by at
Labels: , ,

2 comments:

  1. Son FrauJune 12, 2013 at 5:47 AM

    Great, great, great! thank you very much for sharing this valuable information. It have been very useful for us after searching for hours :-D

    ReplyDelete
  2. AnonymousJune 8, 2015 at 4:11 PM

    Two year old post, still perfectly valid! Thank you so much for sharing this!

    ReplyDelete

Subscribe to: Post Comments (Atom)