Re: Datastore permission difference using Converte...

KazO · ‎06-05-2008

Hi.

We've recently expanded our VI installation to service a group outside our core team. So that their folks can administer their resources on their own, we careated a new user w/Administrator role at their cluster level (as opposed to the Datacenter level). It all works perfectly fine, until they attempted to Cold Clone P2V (Converter 3.0.3 on boot CD). At the Datastore screen, there aren't any available datastores. When we went back and used my Datacenter level login instead (both were authenticating against VirtualCenter, not a host directly), the datastore was visible, and we proceeded with the conversion. I didn't think it's an inherent permissions issue, since the new user can create new VMs in the same datastore through the VI client.

So is there something different about permissions between VI Client and Converter that would cause this?

Kazuto Okayasu

Administrative Computing Services

University of California, Irvine

Kazuto Okayasu Administrative Computing Services University of California, Irvine

Schorschi · ‎06-05-2008

In short, yes. Creating VMDKs via VI client direct to server, or VC connection versus ESX host, and even from the COS cli can all generate differences in file permissions. We also see this with the sticky bit at the top of the /vmfs file system depending on how the VMFS datastore was created or initialized. This variance is a known issue and is something that drives our security team nuts when they audit the file system permissions at the mount and file level.

kjb007 · ‎06-06-2008

You will have to give the group read permissions at the datacenters (Hosts&Clusters) level in order for them to see datastores. Read is all that should be required, and make sure you uncheck the propagate, so the permission applies only to that level. Without further permissions, that group will not see any other clusters, but they will be able to see the datastores that will allow them to continue their process.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB

KazO · ‎06-09-2008

I added the Read permissions at both the Datacenter and Hosts & Clusters level, and the user was able to see the datastore. But they still aren't able to write anything to the datastore. Using VI Client continues to work perfectly.

On a related note, how are you supposed to retrieve the log file saved to Z:/something when using the boot CD? I'm trying to troubleshoot a P2V problem with a couple of boxes (they both stop with 'Unknown Error' at the end when it's "Preparing target Virtual Machine") but can't find a way to browse the filesystem to grab the log.

Kazuto Okayasu

Administrative Computing Services

University of California, Irvine

Kazuto Okayasu Administrative Computing Services University of California, Irvine

TomHowarth · ‎06-09-2008

Thread moved to the more appropiate VMware Comverter forum

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410

kjb007 · ‎06-10-2008

Well, you've gotten further, so that's good. Still appears to be a permissions issue, so you will have to give it a little more rights and see if it will proceed. Since you are able to now see the datastores, it could be that the location you are trying to write to has not enough permissions?

Since the locations you're using are ramdrive, it is difficult to get data off after the fact. I can't offer any advice on retrieving the logfile from the client. You should be able to get some logging info from the server side as well.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB

theanykey · ‎06-12-2008

If you are referring to obtaining the logs from a cold clone, please reference the attached screenshots. This references how to map a drive letter and then export logs to that mapped share.

All

Datastore permission difference using Converter?