Use Different User Accounts for VCH Deployment and Operation
A virtual container host (VCH) appliance requires the appropriate permissions in vSphere to perform various tasks during VCH operation.
During deployment of a VCH, vic-machine uses the vSphere account that you specify in either of the vic-machine create --user or --target options for all deployment operations. Deployment of a VCH requires a user account with vSphere Administrator privileges.
Day-to-day operation of a VCH requires fewer permissions than deployment. You can configure a VCH so that it uses different user accounts for deployment and for operation by using the vic-machine create --ops-user and --ops-password options when you deploy the VCH. By specifying --ops-user, you can limit the post-deployment permissions of the VCH to only those vSphere operations that it needs. If you do not specify --ops-user, the VCH runs with full vSphere Administrator privileges.
After deployment, a VCH must have permission to perform the following operations:
- Create, modify, and delete VMs within its resource pool
- Reconfigure the endpoint VM
- Validate host firewall configuration and system licenses
When you deploy a VCH, a user account that you specify in --ops-user must have the correct privileges to allow the VCH to perform these operations. vSphere Integrated Containers Engine does not currently create the required roles, so to assign privileges to the --ops-user user account, you must manually create user roles in vSphere before you deploy the VCH. You assign privileges to those roles, and assign the roles to the user account to use in --ops-user.
Procedure
In the vSphere Web Client, create a user group, for example
VIC Ops Users, and add the appropriate user accounts to the user group.The best practice when assigning roles in vSphere is to assign the roles to user groups and then to add users to those groups, rather than assigning roles to the users directly.
Go to Administration > Roles and create one role for each type of inventory object that VCHs need to access.
It is possible to create a single role, but by creating multiple roles you keep the privileges of the VCH as granular as possible.
Role to Create Required Permissions VCH - vcenterDatastore > Configure datastore VCH - datacenterDatastore > Configure datastore
Datastore > Low level file operationsVCH - datastoreDatastore > AllocateSpace
Datastore > Browse datastore
Datastore > Configure datastore
Datastore > Remove file
Datastore > Low level file operations
Host > Configuration > System managementVCH - networkNetwork > Assign network VCH - endpointdvPort group > Modify
dvPort group > Policy operation
dvPort group > Scope operation
vApp > Add virtual machine
VirtualMachine > Configuration > Add existing disk
VirtualMachine > Configuration > Add new disk
VirtualMachine > Configuration > Add or remove device
VirtualMachine > Configuration > Advanced
VirtualMachine > Configuration > Modify device settings
VirtualMachine > Configuration > Remove disk
VirtualMachine > Configuration > Rename
VirtualMachine > Guest operations > Guest operation program execution
VirtualMachine > Interaction > Device connection
VirtualMachine > Interaction > Power off
VirtualMachine > Interaction > Power on
VirtualMachine > Inventory > Create new
VirtualMachine > Inventory > Remove
VirtualMachine > Inventory > Register
VirtualMachine > Inventory > UnregisterFor information about how to create vSphere roles, see vSphere Permissions and User Management Tasks in the vSphere documentation.
Go to Networking, create a network folder, and place the distributed virtual switches that the VCHs will use for the bridge network and any container networks into that folder.
The parent object of distributed virtual switches that the VCH uses as the bridge network and container networks must be set to
Read-Only, with Propagate to Children enabled. By placing distributed virtual switches in a network folder, you avoid setting an entire datacenter toRead-Only. This restriction only applies to the bridge network and container networks. When you specify thevic-machine create --bridge-networkand--container-networkoptions, include the full inventory path to the networks in the following format:datacenter/network/network_folder/port_group_name
(Optional) Go to Hosts and Clusters and create a resource pool in which to deploy VCHs.
By creating a resource pool for VCHs, you can set the correct permissions on just that resource pool rather than on an entire host or cluster. You specify this resource pool in the
vic-machine create --compute-resourceoption when you deploy the VCH. For a more granular application of privileges, you can also apply the permissions directly to VCH vApps after deployment, rather than to a resource pool.In each of the Hosts and Clusters, Storage, and Networking views, select inventory objects and assign the user group and the appropriate role to each one.
Inventory Object Role to Assign Propagate Top-level vCenter Server instance VCH - vcenterNo Datacenters VCH - datacenterNo Clusters. All datastores in the cluster inherit permissions from the cluster. VCH - datastoreYes Standalone VMware vSAN datastores VCH - datastoreNo Standalone datastores VCH - datastoreNo Network folders Read-onlyYes Port groups VCH - networkNo Resource pools for VCHs VCH - endpointYes VCH vApps, for a very granular application of privileges VCH - endpointYes For information about how to assign permissions to objects in the vSphere Inventory, see Add a Permission to an Inventory Object in the vSphere documentation.
What to do next
Use vic-machine create --ops-user=<user_account> to deploy VCHs that operate with restricted privileges. Ensure that the various vSphere inventory objects that you specify as arguments have the user group with the appropriate role. For an example of a vic-machine command with the --ops-user option, see the section Specify Different User Accounts for VCH Deployment and Operation Advanced Examples of Deploying a VCH.