What user permissions/roles are required for the VMware vCenter user account to perform fence action using Vmware fencing agents?
Environment
- Red Hat Enterprise Linux Server 5 (with the High Availability Add on)
- Red Hat Enterprise Linux Server 6 (with the High Availability Add on)
- Red Hat Enterprise Linux Server 7 (with the High Availability Add on)
- Red Hat Enterprise Linux Server 8 (with the High Availability Add on)
- Red Hat Enterprise Linux Server 9 (with the High Availability Add on)
- Cluster nodes with Red Hat Enterprise Linux as VMware guests (RHEL5.7+ RHEL6.2+)
fence_vmware_soapfence_vmware_rest
Issue
- What user permissions/roles are required for the
VMware vCenteruser account to perform fence action usingfence_vmware_soaporfence_vmware_rest?
Resolution
In order to allow Vmware fencing agents to work, the configured vCenter user account needs to belong to a role with the following four permissions set in vSphere:
System.AnonymousSystem.ViewVirtualMachine.Interact.PowerOffVirtualMachine.Interact.PowerOn
The first role is created for the user automatically, as is the second role once you've created a user that's allowed to login to vSphere. That just leaves the other two that would need to be added to the user account.
The following steps should add the necessary roles to the VMware vCenter user account:
1) Go to "Home" => "Administration" => "Roles" => "[vSphere server name]"
2) Right-click in the left frame and select "Add..."
3) Name this role in any way (e.g., "RHEL-HA fence_vmware_soap")
4) Under "Privileges", expand the tree "All Privileges" => "Virtual machine" => "Interaction"
5) Check both the "Power Off" and "Power On" boxes
6) Press the "OK" button
7) Then associate this role with the user/group they want running fence_vmware_soap.
Diagnostic Steps
The following commands can be used to test that fence_vmware_soap is working correctly. (Note: You may need to append --ssl-insecure to the commands below.)
# # Get the UUID of the VM you want to check
# fence_vmware_soap --ip <vCenter_IP> -z --username <username> --password <password> --action list | grep <VM_name>
# # Check power status of the VM
# fence_vmware_soap --ip <vCenter_IP> -z --username <username> --password <password> --action status -n <VM_UUID>
# # In versions of fence_vmware_soap older than fence-agents-4.0.15-8.el6, use `-U` instead of `-n`
# fence_vmware_soap --ip <vCenter_IP> -z --username <username> --password <password> --action status -U <VM_UUID>
The following commands can be used to test that fence_vmware_rest is working correctly. (Note: You may need to append --ssl-insecure to the commands below.)
# # Get the UUID of the VM you want to check
# fence_vmware_rest -a <vCenter IP address> -l <vcenter_username> -p <vcenter_password> -z -o list | egrep "(node1-vm|node2-vm)"
# # Check power status of the VM
# fence_vmware_rest -a <vCenter IP address> -l <vcenter_username> -p <vcenter_password> -z -o status -n <VM_UUID>
Additional Information:
For additional information on requirements and support for VMware fencing agents, see below documentation:
For more information about configuring the fence agent for fencing VMware cluster nodes then see the following articles:
- How to configure VMware fencing using fence_vmware_soap in Red Hat Enterprise Linux High Availability Add On?
- How to configure a stonith device using agent fence_vmware_rest in a RHEL 7, 8 or 9 High Availability cluster with pacemaker?
For information about the privileges a user can have and how to manage them, see the following VMware articles:
- Content from docs.vmware.com is not included.Defined Privileges
- Content from docs.vmware.com is not included.vSphere Permissions and User Management Tasks
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.