Configure the Operations User
A virtual container host (VCH) requires the appropriate permissions in vSphere to perform various tasks during VCH operation. Deployment of a VCH requires a user account with vSphere administrator privileges. However, day-to-day operation of a VCH requires fewer vSphere permissions than deployment.
During deployment of a VCH, vSphere Integrated Containers Engine runs all deployment operations by using the vSphere administrator account that you specify in the vic-machine create --user or --target options. If you are using the Create Virtual Container Host wizard, it uses the vSphere administrator account with which you are logged into the vSphere Client.
By default, if you deploy a VCH by using vic-machine, it runs with the same user account as you used to deploy it. In this case, the VCH uses the vSphere administrator account for post-deployment operations, meaning that it runs with full vSphere administrator privileges. Running with full vSphere administrator privileges is excessive, and potentially a security risk.
To avoid this situation, you should configure a VCH so that it uses different user accounts for deployment and for post-deployment operation by specifying an operations user when you deploy the VCH. By specifying an operations user with reduced vSphere privileges, you limit its post-deployment privileges to only those privileges that it needs for day-to-day operation.
If you use the Create Virtual Container Host wizard to deploy VCHs, it is mandatory to specify an operations user. If you use vic-machine, specifying an operations user is recommended but optional.
- How the Operations User Works
- Create a User Account for the Operations User
- Options
- Example
- What to Do Next
How the Operations User Works
If you specify an operations user, vic-machine and the VCH behave differently to how they would behave in a default deployment.
Default Behavior
- When you create a VCH by using
vic-machine, you provide vSphere administrator credentials tovic-machine create, either in--targetor in the--userand--passwordoptions. During deployment,vic-machine createuses these credentials to log in to vSphere and create the VCH. The VCH safely and securely stores the vSphere administrator credentials, for use in post-deployment operation. - When you run other
vic-machinecommands on the VCH after deployment, for example,vic-machine ls,upgrade, orconfigure, you again provide the vSphere administrator credentials in the--targetor--userand--passwordoptions. Again,vic-machineuses these credentials to log in to vSphere to retrieve the necessary information or to perform upgrade or configuration tasks on the VCH. - When a container developer creates a container in the VCH, they authenticate with the VCH with their client certificate. In other words, the developer interacts with the VCH via the Docker client, and does not need to provide any vSphere credentials. However, the VCH uses the stored vSphere administrator credentials that you provided during deployment to log in to vSphere to create the container VM and to run operations on it.
Operations User Behavior
- When you create a VCH, the Create Virtual Container Host wizard uses the vSphere administrator credentials with which you logged into vSphere Client to create the VCH. If you use
vic-machine, you provide vSphere administrator credentials either invic-machine create --targetor in the--userand--passwordoptions. - You also provide the credentials for another vSphere account in the Operations User page of the Create Virtual Container Host wizard or in the
vic-machine create --ops-userand--ops-passwordoptions. - During deployment, vSphere Integrated Containers Engine uses the vSphere administrator credentials to log in to vSphere and create the VCH. The operations user credentials are safely and securely stored in the VCH, for later use in post-deployment operation. In this case, the VCH does not store the vSphere administrator credentials.
- When you perform operations on the VCH after deployment, for example,
vic-machine ls,upgrade, orconfigure, you provide the vSphere administrator credentials in the--targetor--userand--passwordoptions. This is the same as in the default case. The stored operations user credentials are not used for these operations. - When a container developer creates a container in the VCH, the VCH uses the stored operations user credentials to log in to vSphere to create the container VM and to run operations on it.
Create a User Account for the Operations User
The user account that you specify as the operations user must exist before you deploy the VCH. vSphere Integrated Containers Engine provides an option to automatically assign all of the required roles and permissions to the operations user account. If you prefer to assign roles and permissions manually, see Manually Create a User Account for the Operations User.
NOTE: In vSphere Integrated Containers 1.3.0, you must manually configure the account with ready-only non-propagating permissions on the datacenter in which you are deploying the VCH. From version 1.3.1 onwards, this manual configuration is not necessary.
You can use the same user account as the operations user for multiple VCHs.
Prerequisite
Log into the Flex-based vSphere Web Client with a vSphere administrator account. You cannot use the HTML5 vSphere Client to create user accounts.
Procedure
- In Home page of the vSphere Web Client, click Roles.
- Click Users and Groups in the Navigator menu.
- Select the appropriate domain and click the + button to add a new user.
- Enter a user name for the operations user account, for example
vic-ops. - Enter and confirm the password for this account, optionally provide the additional information, and click OK.
(Optional) If you are using vSphere Integrated Containers 1.3.0, configure ready-only non-propagating permissions on the datacenter.
If you are using version 1.3.1 or later, these steps are not required.
- In the Hosts and Clusters view, right-click the datacenter in which to deploy the VCH and select Add Permission.
- Under Users and Groups, select the operations user that you created.
- Under Assigned Role, select Read-only from the drop-down menu.
- Do not select the Propagate to children checkbox, and click OK.
Result
You can use the new user as the operations user account for VCHs. You must use the option to grant any necessary permissions to the user account when you deploy the VCH.
Options
The following sections each correspond to an entry in the Operations User page of the Create Virtual Container Host wizard. Each section also includes a description of the corresponding vic-machine create option.
Certain options in this section are exposed in the vic-machine create help if you run vic-machine create --extended-help, or vic-machine create -x.
vSphere User Credentials
A vSphere user account with which the VCH runs after deployment.
The user account that you specify as the operations user must exist before you deploy the VCH. For information about how to create an operations user account, see Create a User Account for the Operations User above.
Create VCH Wizard
- In the vSphere user credentials text box, enter the user name for an existing vSphere user account.
- Enter the password for the specified user account.
vic-machine Options
--ops-user, no short name
--ops-password, no short name
If you do not specify --ops-user, the VCH runs with the vSphere Administrator credentials with which you deploy the VCH, that you specify in either --target or --user.
If you specify --ops-user but you do not specify --ops-password, vic-machine create prompts you to enter the password for the --ops-user account.
--ops-user user_name --ops-password password
Grant Any Necessary Permissions
The operations user account must exist before you create a VCH. If you did not manually configure the operations user account with all of the necessary permissions, vSphere Integrated Containers Engine can do this for you.
Create VCH Wizard
- Select the Grant this user any necessary permissions check box.
- If you manually added the necessary permissions to the operations user account, do not select the check box.
vic-machine Option
--ops-grant-perms, no short name
If you specify --ops-user, you can also specify --ops-grant-perms so that vic-machine automatically grants the necessary vSphere permissions to the operations user account. If you specify --ops-user but do not specify --ops-grant-perms, you must configure the permissions on the operations user account manually.
The --ops-grant-perms option takes no arguments.
--ops-grant-perms
Example
This example uses the user account vic-ops@vsphere.local as the operations user, and automatically grants the necessary permissions to that account.
Prerequisite
Follow the instructions in Create a User Account for the Operations User to create a vSphere user account, vic-ops@vsphere.local.
Create VCH Wizard
- In the vSphere user credentials text box, enter
vic-ops@vsphere.local. - Enter the password for
vic-ops@vsphere.local. - Select the Grant this user any necessary permissions check box.
vic-machine Command
This example vic-machine create command deploys a VCH with the following options:
- Specifies the account
Administrator@vsphere.localin the--targetoption, to identify the user account with vSphere administrator privileges with which to deploy the VCH. - Specifies the existing
vic-ops@vsphere.localuser account and its password in the--ops-userand--ops-passwordoptions, to identify the user account with which the VCH runs after deployment. - Specifies
--ops-grant-permsto automatically grant the necessary permissions to thevic-ops@vsphere.localuser account.
vic-machine-operating_system create --target 'Administrator@vsphere.local:vsphere_admin_password'@vcenter_server_address/dc1 --compute-resource cluster1 --image-store datastore1 --bridge-network vch1-bridge --name vch1 --ops-user vic-ops@vsphere.local --ops-password password --ops-grant-perms --thumbprint certificate_thumbprint --no-tlsverify
What to Do Next
If you are using the Create Virtual Container Host wizard, click Next to review the configuration that you have made.