Manually Create a User Account for the Operations User

When you deploy a VCH, the user account that you specify as the operations user must have the correct privileges to allow the VCH to perform post-deployment operations. vSphere Integrated Containers Engine provides a mechanism to automatically assign the necessary permissions to the operations user account, but you can also choose to create the user account manually in vSphere. To do so, you create roles, assign privileges to those roles, and assign the roles to the user account to use as the operations user.

Prerequisite

Log into the Flex-based vSphere Web Client with a vSphere administrator account. You cannot use the HTML5 vSphere Client to create user accounts.

Procedure

  1. In the vSphere Web Client, create a user group, for example VIC Ops Users, and add the appropriate user accounts to the user group.

    The best practice when assigning roles in vSphere is to assign the roles to user groups and then to add users to those groups, rather than assigning roles to the users directly.

  2. Go to Administration > Roles and create one role for each type of inventory object that VCHs need to access.

    It is possible to create a single role, but by creating multiple roles you keep the privileges of the VCH as granular as possible.

    Role to Create Required Permissions
    VCH - vcenter Datastore > Configure datastore
    VCH - datacenter Datastore > Configure datastore
    Datastore > Low level file operations
    VirtualMachine > Configuration > Add existing disk
    VirtualMachine > Configuration > Add new disk
    VirtualMachine > Configuration > Advanced
    VirtualMachine > Configuration > Remove disk
    VirtualMachine > Inventory > Create new
    VirtualMachine > Inventory > Remove
    VCH - datastore Datastore > AllocateSpace
    Datastore > Browse datastore
    Datastore > Configure datastore
    Datastore > Remove file
    Datastore > Low level file operations
    Host > Configuration > System management
    VCH - network Network > Assign network
    VCH - endpoint dvPort group > Modify
    dvPort group > Policy operation
    dvPort group > Scope operation
    Global > Enable methods
    Global > Disable methods
    Resource > Assign virtual machine to resource pool
    VirtualMachine > Configuration > Add existing disk
    VirtualMachine > Configuration > Add new disk
    VirtualMachine > Configuration > Add or remove device
    VirtualMachine > Configuration > Advanced
    VirtualMachine > Configuration > Modify device settings
    VirtualMachine > Configuration > Remove disk
    VirtualMachine > Configuration > Rename
    VirtualMachine > Guest operations > Guest operation program execution
    VirtualMachine > Interaction > Device connection
    VirtualMachine > Interaction > Power off
    VirtualMachine > Interaction > Power on
    VirtualMachine > Inventory > Create new
    VirtualMachine > Inventory > Remove
    VirtualMachine > Inventory > Register
    VirtualMachine > Inventory > Unregister
  3. In each of the Hosts and Clusters, Storage, and Networking views, select inventory objects and assign the user group and the appropriate role to each one.

    1. Right-click an inventory object and select Add Permission.
    2. Under Users and Groups, select the operations user group that you created.
    3. Under Assigned Role, assign the appropriate role for each type of inventory object and select the Propagate to children check box where necessary.

The following table lists which roles to assign to which type of inventory object, and whether or not to propagate the role.

Inventory Object Role to Assign Propagate?
Top-level vCenter Server instance VCH - vcenter No
Datacenters VCH - datacenter Yes, if vSphere Distributed Switches are not in network folders. No, if you use network folders. See About vSphere Distributed Switches below
Clusters. All datastores in the cluster inherit permissions from the cluster. VCH - datastore Yes
Standalone VMware vSAN datastores VCH - datastore No
Standalone datastores VCH - datastore No
Network folders Read-only Yes, if used. See About vSphere Distributed Switches below
Port groups VCH - network No
Resource pools for VCHs VCH - endpoint Yes

About vSphere Distributed Switches

The operations user account must have the Read-only role on all of the vSphere Distributed Switches that VCHs use. You can assign this role to switches in either of the following ways:

  • If you do not place the switches in network folders, enable propagation of the VCH - datacenter role on datacenters.
  • If you place the switches in network folders, assign the Read-only role to the network folders, and enable propagation. In this case, you must still assign the VCH - datacenter role to datacenters, but you do not need to enable propagation.

What to Do Next

You can use the user accounts in the user group that you created as operations users for VCHs. When you deploy VCHs you do not need to select the option to grant all necessary permissions in the Create Virtual Container Host wizard, or specify --ops-grant-perms in vic-machine create commands.

results matching ""

    No results matching ""