VMware Cloud Community
SBaldridge
Contributor
Contributor
‎02-03-2011 08:28 AM
Jump to solution

Best way to add permissions to a shared datastore?

I have an application (Replay) that needs to be able to restore a VM to an ESX.  It is aware of vCenter and uses it to identify hosts and datastores but then it wants to SSH to that host, mkdir a directory on a datastore, then copy vm disk data.  The connection and file operations are unattended.


I have created a user on an ESX 4.1 host but that user does not have rights to create a directory on the datastore.  I want to be careful applying permissions because this datastore is shared storage between this cluster and there are production vms running on it.  I also don't want to enable the root user to have SSH access nor do I want the root password to be known by other business owners of the Replay application.

I already tried adding this new user directly on the host, enabling SSH access for it, and adding that user to the Administrator role on the ESX by using the vSphere client.  I thought that would be enough to permit the file operations but when the user account wants to mkdir there is an access denied error.

Can someone recommend a solution?

Thank you,

Scott

0 Kudos
1 Solution

Accepted Solutions
IanBerg
Enthusiast
Enthusiast
‎02-03-2011 09:49 AM
Jump to solution

I would check your permissions by using "su - username" on the host.  Once you're logged in as that user, try to make a directory in the appropriate subdirectory off of /vmfs/volumes.

If it fails, look at this user's permissions to the datastore folder ("ll /vmfs/volumes/datastorename").  In my case all of the folders are owned by user root and group root.  However, by default the permissions are 755 so a group membership of "root" won't help because group members don't have write.  If you can, I would test this on a non-essential datastore and modify the permissions of the datastore directory itself to be 775 (rwxrwxr-x).

In addition, if the user's default group is not root but users or something else, the new directories in the datastore will be created with the wrong group membership unless you modify the user's shell variables.  I'd simplify this by making sure the default group of the user is "root".

I don't believe your NFS connection matters here.  The datastore is read/write to this host and all the hosts and locking takes place on a per host basis at the datastore subdirectory level.

Hope this helps.

View solution in original post

0 Kudos
6 Replies
JDLangdon
Expert
Expert
‎02-03-2011 08:32 AM
Jump to solution

Any permissions you create/add from within vCenter are only applied to vCenter objects.  If you need to SSH into a host server, make a directory, and then copy files directly to a ESX hosts you'll need to add the uesr you created in the ROOT group on the ESX server itself..

SBaldridge
Contributor
Contributor
‎02-03-2011 08:46 AM
Jump to solution

Thank you for replying.  I have added this user to the root group but the user still cannot make directories, the error is "cannot create directory... permission denied".  The user is only a member of the root group although I have tested with both root and users group memberships.  In the past I've used chmod to add permissions to a directory but it seems like the user being in the root groups should be enough?

I did not mention it previously but the datastore is an NFS volume and shared among the cluster members.

Thanks again.

0 Kudos
IanBerg
Enthusiast
Enthusiast
‎02-03-2011 09:49 AM
Jump to solution

I would check your permissions by using "su - username" on the host.  Once you're logged in as that user, try to make a directory in the appropriate subdirectory off of /vmfs/volumes.

If it fails, look at this user's permissions to the datastore folder ("ll /vmfs/volumes/datastorename").  In my case all of the folders are owned by user root and group root.  However, by default the permissions are 755 so a group membership of "root" won't help because group members don't have write.  If you can, I would test this on a non-essential datastore and modify the permissions of the datastore directory itself to be 775 (rwxrwxr-x).

In addition, if the user's default group is not root but users or something else, the new directories in the datastore will be created with the wrong group membership unless you modify the user's shell variables.  I'd simplify this by making sure the default group of the user is "root".

I don't believe your NFS connection matters here.  The datastore is read/write to this host and all the hosts and locking takes place on a per host basis at the datastore subdirectory level.

Hope this helps.

0 Kudos
SBaldridge
Contributor
Contributor
‎02-03-2011 12:32 PM
Jump to solution

Thank you, the group 755 perms were killing me, this solved my problem: modify the permissions of the datastore directory itself to be 775 (rwxrwxr-x)

0 Kudos
IanBerg
Enthusiast
Enthusiast
‎02-04-2011 05:48 AM
Jump to solution

Glad this worked.  To modify the contents of a directory (e.g., create a file, create a directory) you have to have write permission to the containing directory. 

I'm a little concerned that you're going to have issues with this if the file and group permissions are not root:root on the directories and files created by this other user.  Please make sure they are or I can't begin to guess what might break.

Best of luck,

IanBerg

0 Kudos
JDLangdon
Expert
Expert
‎02-04-2011 05:51 AM
Jump to solution

Most applications that perform this kind of task will SSH to the host as a regular user and then SU to root.  Like someone mentioned, I can't imagine what type of problems you my run into if you have someone other then ROOT creating files on your vmfs.

0 Kudos