remove datastore role

natxoasenjo · ‎04-14-2015

hi,

i created a a vcenter role that can remove datastores. Then at the root of vcenter I added a permission to an AD user and coupled it to this role and it propagates.

When I run my script I get this error:

Datastore NFS_Sata_02_GX_BACKUP_15358_2 inaccessible, removing

SOAP Fault:

-

Fault string: Permission to perform this operation was denied.

Fault detail: NoPermissionFault

This is my code:

====================begin script ==============================================

#!/usr/bin/env perl

# Disable SSL hostname verification for vCenter self-signed certificate
BEGIN {
$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
}

use strict;
use warnings;

use VMware::VIRuntime;
use VMware::VILib;
use VMware::VIExt;

$SIG = sub ;

my %opts = (
    vihost => {
        alias    => "h",
        type     => "=s",
        help     => "The host to use when connecting via a vCenter Server",
        required => 0,
    },
    list => {
        alias    => "l",
        type     => "",
        help     => "List the currently inaccessible NAS file systems",
        required => 0,
    },
    list_and_remove => {
        alias => "r",
        type => "",
        help => "List and remove the currently inaccessible NAS file systems",
        required => 0,
    },
);

Opts::add_options(%opts);
Opts::parse();
Opts::validate();

my $list = Opts::get_option('list');
my $list_and_remove = Opts::get_option('list_and_remove');

Util::connect();

my $esxhost_view = Vim::find_entity_views(

view_type => 'HostSystem',

properties =>

);

for my $host ( sort { $a->name cmp $b->name } @$esxhost_view ) {
    print $host->name, "\n";

    # set this variable to get the host view correctly per esx host
    Opts::set_option( 'vihost', $host->name );

    # we need only the datastore info of every esx host

my $host_view =

VIExt::get_host_view( 1, );

Opts::assert_usage( defined($host_view), "Invalid host." );

my $datastore_system =

Vim::get_view( mo_ref => $host_view->{'configManager.datastoreSystem'} );

if ( defined $list ) {

list_nas($datastore_system);

}

elsif ( defined $list_and_remove ) {

remove_ghost_nas( $datastore_system) ;

}

else {

Opts::usage();

exit 1;

}

Util::disconnect();

sub list_nas {
    my ($dssys) = @_;
    my $datastores = $dssys->datastore;

    foreach my $dsRef (@$datastores) {
        my $ds = Vim::get_view( mo_ref => $dsRef );
        if ( $ds->info->isa("NasDatastoreInfo") ) {
            next if $ds->summary->accessible == 1;
            print $ds->info->name, " inaccessible\n";

            #$dssys->RemoveDatastore(datastore => $dsRef);
        }
    }
}

sub remove_ghost_nas {
    my ($dssys) = @_;
    my $datastores = $dssys->datastore;

    foreach my $dsRef (@$datastores) {
        my $ds = Vim::get_view( mo_ref => $dsRef );
        if ( $ds->info->isa("NasDatastoreInfo") ) {
            next if $ds->summary->accessible == 1;
            print $ds->info->name, " inaccessible, removing\n";

            $dssys->RemoveDatastore(datastore => $dsRef);
        }
    }
}

=====================end script ====================================

If I run it with the --list switch it's ok:

perl rm-esx-inaccessible-nasdatastores --list
esx1.domain.tld
esx2.domain.tld

.....

esx222.domain.tld
Datastore NFS_Sata_02_GX_BACKUP_15358_2 inaccessible
Datastore NFS_Sata_04_GX_BACKUP_15361_2 inaccessible
esx333.domain.tld
Datastore NFS_Sata_01_GX_BACKUP_15359_2 inaccessible

esxxxx.domain.tld

esxxxx.domain.tld

Datastore NFS_TEMP_GX_BACKUP_15357_2 inaccessible

is it possible to use a vcenter role to remove datastores or do I have to create local roles and local users?

stumpr · ‎04-14-2015

Have you tried it with a full VMware Admin account? Definitely looks like a permission issue.

Reuben Stump | http://www.virtuin.com | @ReubenStump

natxoasenjo · ‎04-14-2015

hi,

with a administrator role account:

SOAP Fault:

-----------

Fault string: The vSphere HA agent on host 'esxxxx.domain.tld failed to quiesce file activity on datastore '/vmfs/volumes/2352de7a-a4778453'. To proceed with the operation to unmount or remove a datastore, ensure that the datastore is accessible, the host is reachable and its vSphere HA agent is running.

Fault detail: QuiesceDatastoreIOForHAFailedFault

I cannot remove them using the vcenter gui either, so it appears the permissions message is a bit bogus.

O well, I'll write a script to create a local role, add a local user to that role and remove the datastore per esx host. A bit more work but thanks to this nice api quite doable.

stumpr · ‎04-15-2015

Possible condition below. There was a bug in 5.1 I think as well, I'd have to dig up the KB.

Unmounting or Removing Datastore Fails

When you try to unmount or remove a datastore, the operation fails.

Problem

The operation to unmount or remove a datastore fails if the datastore has any opened files. For these user operations, the vSphere HA agent closes all of the files that it has opened, for example, heartbeat files. If the agent is not reachable by vCenter Server or the agent cannot flush out pending I/Os to close the files, a The HA agent on host '{hostName}' failed to quiesce file activity on datastore '{dsName} fault is triggered.

Cause

If the datastore to be unmounted or removed is used for heartbeating, vCenter Server excludes it from heartbeating and chooses a new one. However, the agent does not receive the updated heartbeat datastores if it is not reachable, that is, if the host is isolated or in a network partition. In such cases, heartbeat files are not closed and the user operation fails. The operation can also fail if the datastore is not accessible because of storage failures such as all paths down.

Note

When you remove a VMFS datastore, the datastore is removed from all the hosts in inventory. So if there are any hosts in a vSphere HA cluster that are unreachable or that cannot access the datastore, the operation fails.

Solution

Ensure that the datastore is accessible and the affected hosts are reachable.

Reuben Stump | http://www.virtuin.com | @ReubenStump

natxoasenjo · ‎04-22-2015

I opened a case with vmware support and the correct answer is: 1. run it as root, or: 2. clone the local administrator role and start removing permissions until the right combination is met. I will test that path and come back when I get that combination