Use Different User Accounts for VCH Deployment and Operation

A virtual container host (VCH) appliance requires the appropriate permissions in vSphere to perform various tasks during VCH operation.

During deployment of a VCH, vic-machine uses the vSphere account that you specify in either of the vic-machine create --user or --target options for all deployment operations. Deployment of a VCH requires a user account with vSphere Administrator privileges.

Day-to-day operation of a VCH requires fewer permissions than deployment. You can configure a VCH so that it uses different user accounts for deployment and for operation by using the vic-machine create --ops-user and --ops-password options when you deploy the VCH. By specifying --ops-user, you can limit the post-deployment permissions of the VCH to only those vSphere operations that it needs. If you do not specify --ops-user, the VCH runs with full vSphere Administrator privileges.

After deployment, a VCH must have permission to perform the following operations:

  • Create, modify, and delete VMs within its resource pool
  • Reconfigure the endpoint VM
  • Validate host firewall configuration and system licenses

When you deploy a VCH, a user account that you specify in --ops-user must have the correct privileges to allow the VCH to perform these operations. vSphere Integrated Containers Engine does not currently create the required roles, so to assign privileges to the --ops-user user account, you must manually create user roles in vSphere before you deploy the VCH. You assign privileges to those roles, and assign the roles to the user account to use in --ops-user.


  1. In the vSphere Web Client, create a user group, for example VIC Ops Users, and add the appropriate user accounts to the user group.

    The best practice when assigning roles in vSphere is to assign the roles to user groups and then to add users to those groups, rather than assigning roles to the users directly.

  2. Go to Administration > Roles and create one role for each type of inventory object that VCHs need to access.

    It is possible to create a single role, but by creating multiple roles you keep the privileges of the VCH as granular as possible.

    Role to Create Required Permissions
    VCH - vcenter Datastore > Configure datastore
    VCH - datacenter Datastore > Configure datastore
    Datastore > Low level file operations
    VCH - datastore Datastore > AllocateSpace
    Datastore > Browse datastore
    Datastore > Configure datastore
    Datastore > Remove file
    Datastore > Low level file operations
    Host > Configuration > System management
    VCH - network Network > Assign network
    VCH - endpoint

    dvPort group > Modify
    dvPort group > Policy operation
    dvPort group > Scope operation
    vApp > Add virtual machine
    VirtualMachine > Configuration > Add existing disk
    VirtualMachine > Configuration > Add new disk
    VirtualMachine > Configuration > Add or remove device
    VirtualMachine > Configuration > Advanced
    VirtualMachine > Configuration > Modify device settings
    VirtualMachine > Configuration > Remove disk
    VirtualMachine > Configuration > Rename
    VirtualMachine > Guest operations > Guest operation program execution
    VirtualMachine > Interaction > Device connection
    VirtualMachine > Interaction > Power off
    VirtualMachine > Interaction > Power on
    VirtualMachine > Inventory > Create new
    VirtualMachine > Inventory > Remove
    VirtualMachine > Inventory > Register
    VirtualMachine > Inventory > Unregister

    For information about how to create vSphere roles, see vSphere Permissions and User Management Tasks in the vSphere documentation.

  3. Go to Networking, create a network folder, and place the distributed virtual switches that the VCHs will use for the bridge network and any container networks into that folder.

    The parent object of distributed virtual switches that the VCH uses as the bridge network and container networks must be set to Read-Only, with Propagate to Children enabled. By placing distributed virtual switches in a network folder, you avoid setting an entire datacenter to Read-Only. This restriction only applies to the bridge network and container networks. When you specify the vic-machine create --bridge-network and --container-network options, include the full inventory path to the networks in the following format:


  4. (Optional) Go to Hosts and Clusters and create a resource pool in which to deploy VCHs.

    By creating a resource pool for VCHs, you can set the correct permissions on just that resource pool rather than on an entire host or cluster. You specify this resource pool in the vic-machine create --compute-resource option when you deploy the VCH. For a more granular application of privileges, you can also apply the permissions directly to VCH vApps after deployment, rather than to a resource pool.

  5. In each of the Hosts and Clusters, Storage, and Networking views, select inventory objects and assign the user group and the appropriate role to each one.

    Inventory Object Role to Assign Propagate
    Top-level vCenter Server instance VCH - vcenter No
    Datacenters VCH - datacenter No
    Clusters. All datastores in the cluster inherit permissions from the cluster. VCH - datastore Yes
    Standalone VMware vSAN datastores VCH - datastore No
    Standalone datastores VCH - datastore No
    Network folders Read-only Yes
    Port groups VCH - network No
    Resource pools for VCHs VCH - endpoint Yes
    VCH vApps, for a very granular application of privileges VCH - endpoint Yes

    For information about how to assign permissions to objects in the vSphere Inventory, see Add a Permission to an Inventory Object in the vSphere documentation.

What to do next

Use vic-machine create --ops-user=<user_account> to deploy VCHs that operate with restricted privileges. Ensure that the various vSphere inventory objects that you specify as arguments have the user group with the appropriate role. For an example of a vic-machine command with the --ops-user option, see the section Specify Different User Accounts for VCH Deployment and Operation Advanced Examples of Deploying a VCH.

results matching ""

    No results matching ""