Manually Create a User Account for the Operations User

When you deploy a virtual container host (VCH), the user account that you specify as the operations user must have the correct privileges to allow the VCH to perform post-deployment operations. vSphere Integrated Containers Engine provides a mechanism to automatically assign the necessary permissions to the operations user account. You can also create the user account manually in vSphere.

IMPORTANT: If you are deploying the VCH to a standalone host that is managed by vCenter Server, you must configure the operations user account manually. The option to grant any necessary permissions automatically only applies when deploying VCHs to clusters.

To assign permissions to the operations user account, you create roles, assign privileges to those roles, and assign the roles to the operations user account.

• For information about how to create vSphere roles, see vSphere Permissions and User Management Tasks in the vSphere documentation.
• For information about how to assign permissions to objects in the vSphere Inventory, see Add a Permission to an Inventory Object in the vSphere documentation.

When creating roles manually, the privileges are not as granular as when you use the option to grant permissions automatically. VMware recommends that you use the option to grant permissions automatically whenever possible.

Prerequisites

• Create one or more user accounts to use as the operations user for VCHs.
• Log into the vSphere Client with a vSphere administrator account.

Procedure

1. In the vSphere Client, create a user group, for example VIC Ops Users, and add the appropriate user accounts to the user group.

   The best practice when assigning roles in vSphere is to assign the roles to user groups and then to add users to those groups, rather than assigning roles to the users directly.

2. Go to Administration > Roles and create one role for each type of inventory object that VCHs need to access.

   It is possible to create a single role, but by creating multiple roles you keep the privileges of the VCH as granular as possible.

   NOTE: In environments that do not implement DRS, you combine the permissions of the VCH - datastore and VCH - endpoint roles into a single VCH - endpoint - datastore role.

   Role to Create	Required Permissions
   VCH - vcenter	Datastore > Configure datastore Global > Enable methods Global > Disable methods
   VCH - datacenter	Datastore > Configure datastore Datastore > Low level file operations VirtualMachine > Configuration > Add existing disk VirtualMachine > Configuration > Add new disk VirtualMachine > Configuration > Advanced VirtualMachine > Configuration > Remove disk VirtualMachine > Inventory > Create new VirtualMachine > Inventory > Remove
   VCH - datastore	Datastore > AllocateSpace Datastore > Browse datastore Datastore > Configure datastore Datastore > Remove file Datastore > Low level file operations Host > Configuration > System management
   VCH - network	Network > Assign network
   VCH - endpoint This role only applies to DRS environments. See note.	dvPort group > Modify dvPort group > Policy operation dvPort group > Scope operation Resource > Assign virtual machine to resource pool VirtualMachine > Configuration > Add existing disk VirtualMachine > Configuration > Add new disk VirtualMachine > Configuration > Add or remove device VirtualMachine > Configuration > Advanced VirtualMachine > Configuration > Modify device settings VirtualMachine > Configuration > Remove disk VirtualMachine > Configuration > Rename VirtualMachine > Guest operations > Guest operation program execution VirtualMachine > Guest operations > Modify VirtualMachine > Guest operations > Query VirtualMachine > Interaction > Device connection VirtualMachine > Interaction > Power off VirtualMachine > Interaction > Power on VirtualMachine > Inventory > Create new VirtualMachine > Inventory > Remove VirtualMachine > Inventory > Register VirtualMachine > Inventory > Unregister
   VCH - endpoint - datastore This role only applies to non-DRS environments. See note.	Datastore > AllocateSpace Datastore > Browse datastore Datastore > Configure datastore Datastore > Remove file Datastore > Low level file operations Host > Configuration > System management dvPort group > Modify dvPort group > Policy operation dvPort group > Scope operation Resource > Assign virtual machine to resource pool Resource > Migrate powered off virtual machine VirtualMachine > Configuration > Add existing disk VirtualMachine > Configuration > Add new disk VirtualMachine > Configuration > Add or remove device VirtualMachine > Configuration > Advanced VirtualMachine > Configuration > Modify device settings VirtualMachine > Configuration > Remove disk VirtualMachine > Configuration > Rename VirtualMachine > Guest operations > Guest operation program execution VirtualMachine > Guest operations > Modify VirtualMachine > Guest operations > Query VirtualMachine > Interaction > Device connection VirtualMachine > Interaction > Power off VirtualMachine > Interaction > Power on VirtualMachine > Inventory > Create new VirtualMachine > Inventory > Remove VirtualMachine > Inventory > Register VirtualMachine > Inventory > Unregister

3. In each of the Hosts and Clusters, Storage, and Networking views, select inventory objects and assign the user group and the appropriate role to each one.

   1. Right-click an inventory object and select Add Permission.
   2. Under Users and Groups, select the operations user group that you created.
   3. Under Assigned Role, assign the appropriate role for each type of inventory object and select the Propagate to children check box where necessary.

   The following table lists which roles to assign to which type of inventory object, when creating the operations user account.

   NOTE: You apply different roles to the inventory objects depending on whether DRS is enabled on a cluster. In DRS environments you apply the VCH - datastore and VCH - endpoint roles to datastores and resource pools respectively. In environments without DRS, you apply the combined VCH - endpoint - datastore role to clusters.

   Inventory Object	Role to Assign	Propagate?
   Top-level vCenter Server instance	VCH - vcenter	No
   Datacenters	VCH - datacenter	Yes, if vSphere Distributed Switches are not in network folders. No, if you use network folders. See About vSphere Distributed Switches below
   Clusters with DRS enabled	VCH - datastore	Yes. All datastores in the cluster inherit permissions from the cluster. This role only applies in DRS environments. See note.
   Clusters with DRS disabled	VCH - endpoint - datastore	Yes. All datastores in the cluster inherit permissions from the cluster. This role only applies in non-DRS environments. See note.
   Standalone VMware vSAN datastores	VCH - datastore	No
   Standalone datastores	VCH - datastore	No
   Network folders	Read-only	Yes, if used. See About vSphere Distributed Switches below
   Port groups	VCH - network	No
   Resource pools for VCHs	VCH - endpoint	Yes. This role only applies in DRS environments. See note.

What to Do Next

You can use the user accounts in the user group that you created as operations users for VCHs. When you deploy VCHs you do not need to select the option to grant all necessary permissions in the Create Virtual Container Host wizard, or specify --ops-grant-perms in vic-machine create commands.

About vSphere Distributed Switches

The operations user account must have the Read-only role on all of the vSphere Distributed Switches that VCHs use. You can assign this role to switches in either of the following ways:

• If you do not place the switches in network folders, enable propagation of the VCH - datacenter role on datacenters.
• If you place the switches in network folders, assign the Read-only role to the network folders, and enable propagation. In this case, you must still assign the VCH - datacenter role to datacenters, but you do not need to enable propagation.