I have just started using VI3 and when creating my first VM for a test, I logged in as root. I'm wondering if the best practice is to create a VM with a user other than root? I would like to then be able to delete and rename directories and files associated with this VM.
If it is best to create VMs with a user other than root, what group or permissions would this user need to login with the VI client and with WinSCP?
If you set the UID of a user to 0 then the login would have the exact same rights as the root account.
If it's just for yourself, the connecting to SSH with a regular account and then entering su -l when you need to manage folders might be sufficient.
That said, it would be nice to be able grant a user full control of a data store, but the default permissions for a VM go to root (i.e. so it can be managed by VI and other processes that don't know about your local account).
For VI you can create roles that are able to manage certain aspects of your VI install and the permissions are quite granular.
"If it is best to create VMs with a user other than root, what group or permissions would this user need to login with the VI client and with WinSCP?"
Looks like you are asking two different things. The Virtual Machines should be created how ever you'd build a stand alone server, so a Windows box would probably be built using the Administrator ID and a *nix would use root, with the standard caveat that these are well known superuser accounts and should be used with care once the server is on your AD/NIS/whatever network and can authenticate to a service instead of locally.
As far as letting people get access via WinSCP I'd be VERY careful about who you allow to log into the ESX console. I haven't done much research on it but if you don't trust your folks with root access you probably don't want them logged into your ESX server. I suppose you could chown some scripts to kill/restart specific services (like the one that speaks to VI), but frankly even that scares me.
Inside the VI client you just give users and/or groups rights the same way as to most Windows applications, in fact you can use the logical view (Inventory>Virtual Machines and Templates) to create an entire tree and assign rights to branch or leaf objects in this tree, i.e. create a folder called Web Servers and give your webmaster full rights to it. Simple and when you make a new web server all you have to do is drop it in that folder to have the appropriate rights applied.
It's best to create another user to do this instead of using root when logging into the SC or using SSH/SCP. Below is the procedure.
You can also create additional users for use in the VIC client on the Users/Groups tab. Just create a user, put it in the users group and then go to the permissions tab and assign permissions. You can look at this guide for more on permissions
Managing Vmware VirtualCenter Roles & Permissions - http://www.vmware.com/pdf/vi3_vc_roles.pdf
fyi...if you find this post helpful, please award points using the Helpful/Correct buttons...thanks
How do I create an account so I do not have to use root? This is the more secure way of logging into ESX without using the root account. You can create a user to do this using either the VI client or the Service Console. The VI Client is more difficult because it will not allow you to set the UID of the new user to 0 and will not let you ignore the password warnings like the Service Console will.
Service Console method:
Login to service console
Type useradd sshuser (or whatever username you want to use) to add the user
Type passwd sshuser to set the password for this user
Type usermod g root sshuser to add the user to the root group
Type usermod u 0 o sshuser to change the UID of the user to zero to match root
VI Client method:
Start VI Client and connect to the ESX server directly instead of the VirtualCenter server, login as the root user
Select the Users and Groups tab
Right-click inside the Users view and select Add
Enter a name for your user in the Login field, ie. sshuser. You can leave the User Name field blank
Enter a password for the user (Password most be sufficiently complex and long enough or the create user operation will fail)
Put a checkmark next to Grant shell access for this user
Enter root in the Group field and click the Add button
Login to service console
Type usermod u 0 o sshuser to change the UID of the user to zero to match root
Message was edited by:
esiebert7625
If you login to the VI client with a user other than root, a VM that you create will still be owned by the root user. So you won't be able to manage the folders / files with a user other than root after the VM is created.
sudo might work for you as posted here. Is there a specific need you have for users being able to manage folders?
http://www.vmware.com/community/thread.jspa?threadID=86433
Also are you running VirtualCenter or just a standalone ESX host?
The only work-around that I found was changing the UID of the new user to match root, 0 and then you can access anything owned by root.
To answer Dave's question... I'm only looking to give myself the ability to manage folders from my desk.
esiebert, if I put this user in the root group, will this give this user the ability to do as much damage as root? I'm use to Windows and NetWare in which you can give a user rights to a folder and then he can modify anything in or below that folder. Can this be done in the same way with ESX?
Dave, I forgot to answer your second question. I am running VirtualCenter, but I'm new to this so I might not be running it very well
If you set the UID of a user to 0 then the login would have the exact same rights as the root account.
If it's just for yourself, the connecting to SSH with a regular account and then entering su -l when you need to manage folders might be sufficient.
That said, it would be nice to be able grant a user full control of a data store, but the default permissions for a VM go to root (i.e. so it can be managed by VI and other processes that don't know about your local account).
For VI you can create roles that are able to manage certain aspects of your VI install and the permissions are quite granular.
I'm not entirely sure, the actual root user is a member of the root, bin, daemon, sys, adm, disk, wheel groups. I added a user to the root group and could not access files created by root without changing the UID to 0 to match root. You can probably assign rights to folders in Linux like in Windows, I'm no Linux expert though so I'm not sure of the procesdure for that.
The VM files are created with rw------- permissions and are owned by user root and have group root. This means that only owner (i.e., root or user with UID 0) has read and write permission and there are no other permissions set for anyone else. If you wanted to be able to manage (i.e., read and write) these files as another user you would have to 'chmod' the files, such that this other user has access to it. For example, if you do:
chmod 660 Filenames
Then the group is also given permission to read and write and your user that belongs the root group will be able to 'manage it'.
Dave, I like the idea of using the su -l command. Is there a way to accomplish the same thing in WinSCP? Can I login to WinSCP as my sshuser and then switch to being root once I'm connected?
Also, mbrkic mentioned the command "chmod 660 Filenames". Is it possible to run a command that would give sshuser rwx rights to a folder and any subfolders and files under that folder?
You could run chmod (you'd probably want chmod 777 to give rwx to the root group and other groups) and you would want to run it on both the folder and the files in the folders (chmod 777 * will work fine for the files - assuming the VM is not running or the files are in use by some other process).
I made the above changes and it didn't seem to affect the VMs in a negative manner. The permmissions are preserved if you migrate the VM to another ESX host and keep it on the same data store. The permissions reset to normal if you migrate the VM to a new data store.
I'm not sure you'll be able to do an SU with winscp, but if you are copying file to and from your ESX host, you should be running vmkfstools -e (to create a copy of the VMDK to copy off the system) and vmkfstools -i (on an vmdk files you copy to the server. When you run vmkfstools you can specify a location to which your sshuser will have full rights (as the destination for the export or source for the import).
That said, if you have VirtualCenter there are options to both clone a VM (including running sysprep - assuming you're running windows VMS), and you can also create a template from a VM from which you can deploy new VMs (i.e. essentially a copy of the template VM). That funtionality might provide what you are trying to accomplish here.
You can use -R for chmod to recursively change permissions for a directory and all subdirectories and files (be careful and make sure you know what you are doing The problem with changing permissions (and/or ownership) of files in the service console is that some operations (like snapshots) will still create files owned by root and with default permissions (i.e., rw-------), and this can quickly become a nightmare to manage.
In winscp, you can change to root but you will have to set-up sudo (man sudo, man sudoers) so that your non-root user can 'become root' by running:
sudo su -
Then you can specify the shell for scp (under "Environment/SCP") to be something like
/bin/bash -c 'sudo su -'
and that should do it.
If you set sudo up this way you can also use:
sudo su -
in your interactive logins to switch to root and the above method to manage all files as root through winscp, while still leaving remote ssh login disabled for root.