Hello,

Is this ESXi or ESX?

Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

My server is ESXi.

Thanks

Hello,

Moved to ESXi forum.

ESXi resets all permissions on all files within the non-VMFS section of ESXi on reboot. THis is a security measure.

Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

Then you mean the permission are store in a non-VMFS section?

I have only disk formatted with VMFS. How I can solve this issue? I need to keep permission among reboot.

Thanks again.

Devis

Hello,

What permissions are you changing? And How are you doing it? Give paths please.

Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

Hello,

this is the scenario:

I have a virtual machine called "developA".

I created a group "developers", and I assigned the role administrator to group "developers" for this machine.

In this way all users in group "developers" can access to machine "developA" from VI Client and use it.

This works fine.

But

when I reboot the server, this association is lost, then all users

belong to "developers" cannot see this machine and use it.

Hope to be clear...

Devis

Hello,

That actually sounds like a bug. When you create that Role and Permission and not using vCenter it modifies a file within the / filesystem. Usually /etc/vmware/hostd/authorizations.xml.

Since that is not on the VMFS fileystem a reboot causes that file to disappear. This sounds like a bug, as modifications through the VIC should not disappear. It is pretty easy to recreate this when the system is rebooted but I see what you are getting at.

This also sounds like the free version and if that is the case the limitation may permanently exist. You could use the RCLI vifs command to get the changed file and on a reboot put the file back and restart hostd.

Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

ESXi will save changes to configuration files to /bootbank/state.tgz when you restart a host and also at 1 minute past every hours. You could try this

1) make your permission changes

2) at the console run /sbin/backup.sh 0 /bootbank/

3) ls -l /bootbank/ -- to verify that state.tgz has been updated.

4) reboot and see if the change has stuck.

Unfortunately your solution doesn't work

I followed the steps but I lost the permission at reboot.

Any other idea?

What is the command in Remote CLI allowing me to save and restore xml file of permissions?

Thanks,

Devis

The file that stores permissions isn't exposed to access by the RCLI but it can be found at /etc/vmware/hostd/authorization.xml.

If you change your permissions you should see that file updated. I would wait until a few minutes past the hour and then copy /bootbank/state.tgz to /tmp. Then extract it and see if the file is in there. This is one of files that ESXi should be backing up to state.tgz.

Hi Dave,

I checked. I have same file authorization.xml in etc path and also in state.tgz. It is updated every hour.

But when I reboot the server all permission are lost anyway. The file is not restored. Is state.tgz keeps during reboot?

Thanks

Devis

In case state.tgz is kept after reboot......Can I restore file authorization.xml manually?

I see exists file /etc/rc.local, and I guess this file is executed every boot. Can I add a line here to restore xml file extracting it from state.tgz? I can write some rows to extract and copy it, but probably exist a command to make this, right?

Thanks,

Devis

Adding more info.....

I read in an other post I can make any changes on authorization.xml and restarting services with command "/sbin/services.sh restart" these changes are applied.

I can say this is wrong! Changes are kept in authorization.xml but hostd cannot load this changes.

Then I tried to restart only hostd with command "/etc/init.d/hostd restart". Well my changes in authorization.xml has been lost! It seems hostd when restart rewrite completely authorization.xml with default settings and ignore changes made before. The default setting at each restart of hostd is:

<ConfigRoot>

<ACEData id="10">

<ACEDataEntity>ha-folder-root</ACEDataEntity>

<ACEDataId>10</ACEDataId>

<ACEDataIsGroup>false</ACEDataIsGroup>

<ACEDataPropagate>true</ACEDataPropagate>

<ACEDataRoleId>-1</ACEDataRoleId>

<ACEDataUser>root</ACEDataUser>

</ACEData>

<ACEData id="11">

<ACEDataEntity>ha-folder-root</ACEDataEntity>

<ACEDataId>11</ACEDataId>

<ACEDataIsGroup>false</ACEDataIsGroup>

<ACEDataPropagate>true</ACEDataPropagate>

<ACEDataRoleId>-1</ACEDataRoleId>

<ACEDataUser>dcui</ACEDataUser>

</ACEData>

<NextAceId>45</NextAceId>

The strange thing is the number at last row (in this case 45). It is incremeted every time a make a changes or add a permission. Then it seems hostd read the file but delete all permissions different from default :smileyangry:

Is no possible have a solution to this problem?!?!!?

Thanks

The file will get extracted out of state.tgz by default so there is no need to manually extract it. If you look at that file is it correct to what you expect?

Also, if you edit the permissions and then look at the file, does it appear to be correct.

If you then run /sbin/backup.sh 0 /bootbank/ and then extract the file from state.tgz to /tmp, does it appear correct?

Hi Dave,

at the end you are the only my listener

I hope to solve with your help......

To answer...

>>The file will get extracted out of state.tgz by default so there is no

need to manually extract it. If you look at that file is it correct to

what you expect?

Yep the file, after I extract it manually from state.tgz, is the same that I have in /etc/vmware/hostd.

>>Also, if you edit the permissions and then look at the file, does it appear to be correct.

>>If you then run /sbin/backup.sh 0 /bootbank/ and then extract the file from state.tgz to /tmp, does it appear correct?

Yep, If I edit permission from VI, the permissions are stored correctly in the authorization.xml and are applied on server.

I tried to backup and extract and it is correct, neither backup or restore.

I want put your focus on a point in particular. If I edit manually the authorization.xml file, I mean with vi editor and not from VI client, no changes are appliued to server. I restarted hostd daemon, but I cannot restore this file manually anyway. As I said in my previous post, it seems hostd when start, erase all changes before with default permission I posted before.

I want remeber you I'm using ESXi; does it perhaps a limitation of free version?

Devis

Hello, I experience the same issue with ESX 3.02!

Could anyone find a soluten?

What I realized is that the inherrited permissions stay - only the permissions set on one virtual server host get lost!

Regards Ollivetti

Hello Ollivetti, ESXi and ESX do some things in different ways, so I would suggest a new post here - http://communities.vmware.com/community/vmtn/vi/install.

Hi Dave, thank's for your recommondations!

I just found a solution - ther is a Patch: ESX Server 3.0.2, Patch ESX-1003513

have a nice day

Regards Ollivetti