I am trying to find out if there is a way to prevent a VM from being 'Removed from Inventory' or 'Delete from Disk'. When I am running my code on a VM i don't want the user to be able to delete it. I have a CustomTask associated with the VM and there is a field in TaskInfo called locked. Does anyone know how to set the locked field or even if that will fix my problem.
This sounds like a great use of 'Roles' and 'Permissions' which can be customized so that a user can manage his/her VM without the ability to delete/remove a VM, you'll need vCenter to implement this.
=========================================================================
William Lam
VMware vExpert 2009
VMware ESX/ESXi scripts and resources at:
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
I want the user to be able to delete/remove the VM. I just don't want them to be able to do it when i am running a task on it.
Example: If you do a clone on a VM. It changes the VM you are cloning to not allow you to delete or remove it until the clone has finished.
This all depends on the operation you're performing, in a clone, yes the VM object will be locked from making any changes to. afaik, the Locked field is not something you can set but done internally within the APIs, if you take a look at the description, it says the following:
If the state of the task is "running", then this property is a list of managed entities that the operation has locked, with a shared lock.
This property is primarily set based on the entities being modified and if the task is in a 'running' state. If you operation requires a lock, then it will not allow a user to remove/delete.
Probably be a good idea to have some type of communication with your customers or even setup change control so you don't run into this problem ... if it's actually occurring.
=========================================================================
William Lam
VMware vExpert 2009
VMware ESX/ESXi scripts and resources at:
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
So the only way to prevent a deletion is change user permissions?
I'm saying if you don't want a user to delete/remove a VM, the permissions is the way.
Regarding your 'custom process' ... if the operation is something that would prevent someone from deleting an entity, it'll be implemented by VMware by default internally... I don't think you have control over that.
If you can describe what you're doing, perhaps we can help shed more light. Again, in the simplest scenario if you perform say a CloneVM_Task() operation using the SDK, then the VM object will be locked and no one will be able to delete/remove until it's completed. You don't need to do anything extra ... it would be the same if you were performing a ReconfigVM_Task(), the VM entity would be lock until the change has completed. Do you get what I'm saying? So I'm not exactly clear on what operation you're performing that would allow a user to delete the object, again this is handled internally
=========================================================================
William Lam
VMware vExpert 2009
VMware ESX/ESXi scripts and resources at:
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
Well the problem is that during my custom task is not doing a vmware task. So the VM will not be locked. I am creating a Custom Task that is associated with a VM object. I start the task and it says 'In Progress'. Then I delete the VM that the Custom Task is associated with and can no longer update the Custom Task. So I have created an orphaned Custom Task. To prevent this I was going to prevent the VM from being deleted/removed while I am running a custom task on it.
I don't think using permissions is going to work in this case. I only want that one VM to be locked and I want it to be locked for every user that has access to that vCenter. I also only want it locked during the Custom Task. I have not used permissions but is it possible to do this ?
I'm still not quite sure I understand your use case .. or what 'custom task' you're performing.
I am creating a Custom Task that is associated with a VM object. I start the task and it says 'In Progress'. Then I delete the VM that the Custom Task is associated with and can no longer update the Custom Task
??? sounds like you're just deleting the VM ???
Again if you know which VM and no one else should have permission then you should use roles/permissions to not allow anyone else but you to delete or update.
=========================================================================
William Lam
VMware vExpert 2009
VMware ESX/ESXi scripts and resources at:
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
I'd follow Iamw's recommendation and define roles and permissions. I'd also get a regular backup process implemented on the VMDKs (VCB or some 3rd party VMDK aware product).
I don't think there will be much else you can do outside of custom roles and permissions.
We have Role\Responsibilities set that way we want. However, we have a need for flagging a specific VM as PROTECTED, so that any user, Enterprise admin or other would not be able to delete without first removing that flag.
For example, a Root Certificate Authority best practice is to have the Root CA powered down during most of the year. Only a few times during the year would you bring the Root CA up for maintenance for a few hours while changing keys. For this reason, this VM will be powered down 99.99% of the time and we would like to flag it so that no-one can delete it without first removing that flag. This is similar to the boolean value that protects Active Directory accounts from being deleted inadvertantly.
I was hoping that there would be some variable you can manually enter on the .vmx file that would protect the VM from being deleted. Does anyone know of such a feature\flag?
please tell me this is done somewhere by now