• Arun Nukula

Deployment failures are seen when cloud-init based config added to the blueprint


When a user attempts to deploy a virtual machine from a blueprint that has cloud-init commands in it we then see the following exception as soon as we clone the machine and power it on


Exception


vCenter responded with "Permission to perform this operation was denied"



Logs where the exception is recorded

vRealize Automation logs

provisioning-service-app-xxxxxxx/provisioning-service-app.log
ebs-app-xxxxxxx/ebs-app.log
catalog-service-app-xxxxxxx/catalog-service-app.log
tango-blueprint-service-app-xxxxxxx/tango-blueprint-service-app.log
proxy-service-xxxxxxx/squid-proxy.log

vCenter

vpxd-xxxx.log 

Snippets



vCenter
2021-01-06T05:45:16.075Z verbose vpxd[04022] [Originator@6876 sub=Default opID=4d822cb6] [VpxVmomi] Invoking [reconfigure] on [vim.VirtualMachine:vm-748] session [52d723af-ca77-4846-2ffc-943a15ac0d3c(520ecdac-6870-7740-2a98-8ca92a0ed8f6)]
2021-01-06T05:45:16.075Z verbose vpxd[04022] [Originator@6876 sub=Vmomi opID=4d822cb6] Invoke error: vim.VirtualMachine.reconfigure session: 52d723af-ca77-4846-2ffc-943a15ac0d3c Throw: vim.fault.NoPermission

vRA

2021-01-06T05:45:16.059Z [priority='INFO' thread='vsphere-io-70' user='' org='' context='' parent='' token=''] c.v.p.c.m.a.vsphere.InstanceClient.log:448 - Customizing after clone, setting cpu count to [2] on VM [VirtualMachine:vm-748].
2021-01-06T05:45:16.060Z [priority='INFO' thread='vsphere-io-70' user='' org='' context='' parent='' token=''] c.v.p.c.m.a.vsphere.InstanceClient.log:448 - Customizing after clone, setting memory in MB to [2048] on VM [VirtualMachine:vm-748].
2021-01-06T05:45:16.067Z [priority='ERROR' thread='vsphere-io-70' user='' org='' context='' parent='' token=''] c.v.p.c.m.a.v.u.c.SOAPMessageHandler.logMessage:113 - Fault received from vCenter : <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENV="http://
schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header/><soapenv:Body>
        <soapenv:Fault><faultcode>ServerFaultCode</faultcode><faultstring>Permission to perform this operation was denied.</faultstring><detail><NoPermissionFault xmlns="urn:vim25" xsi:type="NoPermission"><object type="VirtualMachine">vm-748</object><privilegeId>VApp.ApplicationConfig</privileg
eId></NoPermissionFault></detail></soapenv:Fault>
        </soapenv:Body></soapenv:Envelope>


After a little bit of research found that the following permission was missing adding this specific permission to the user account which is doing this task did help in resolving this problem

vApp.vApp application configuration: Allows modification of a vApp's internal structure, such as product information and properties.

If you look at the vRA log snippet in detail it clearly tells you that what permission is needed in order to fix this issue.

<privilegeId>VApp.ApplicationConfig</privileg
eId></NoPermissionFault>

For more information on permissions or privileges refer to doco:


https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-20C1A2F2-F7ED-4E03-A62C-E2E6F3743E39.html






40 views0 comments