I sounds like this could be enabled and disabled on a running machine. Since I am a littlle paranoid, I don't want to give anybody the possibility to make a readable (not encrypted) memory dump, not even admins. At least not without shuttind down the machine (since after that you need the encryption passphrase).

Removing the suspend mode alltogether, for all admins would probably be a good solution. We don't need it anyway. How definite would that be? Is it ireversible?

If you set up the rights correctly, you can do this easily. Set up at least 2 groups in Active Directory. One group would have only you in it. This group would have "full control" of the VM, including being able to suspend. Another group would be your users that can do whatever you want them to do (including not being able to suspend). You could have a third group for other admins that would allow them to do everything except suspend. You probably also don't want to allow anyone other than yourself to snapshot the VM since that would create additional files including possibly a snapshot of the current memory. As I mentioned previously, just make sure you don't put yourself in more than one of the groups you assign to the VM. Put yourself only in the Super-Admin group and nothing else. If you do, your will get the least-privileged rights. You could take yourself out of one of the least-privileged groups and get your rights back, but it's better just to not do it in the first place. I also assume that only you have the password to the 'root' user of the ESX server. You wouldn't want anyone else to have the 'root' password so they can't use that account to do VM tasks. Also, I assume that if you are using Active Directory for the groups, that no one can add themseives to the group, therefore granting themselves the rights you are trying to limit.

YMMV, but by doing what I've described we've been able to limit who has access to certain VMs, and to limit what they can do with the VM. Test it out in your environment to be sure it will also do what you want it to do.

Unfortunately we do not have an active directory. So that won't work.

And beside that, even I do not want to be able to put the vm in suspend. I want it just to be impossible (at least without having to reboot the vm).

You can do that without active directory - http://www.vm-help.com/esx/esx3i/assigning_permissions/assign_permissions.php. You might also check out http://sanbarrow.com/ to see if there are any paramaters for the VMX file that might disable suspend.

As I mentioned in my initial response, you can do the same thing I described, in the same way, using only ESX groups and users if you don't have Active Directory. You can also take away the suspend right even from yourself if you want. I just don't know if you can take it away from 'root' or not. In any case, you always have the ESX logging to see who's logged in and done what.

Also, as I mentioned in my follow-up response, you not only have to worry about suspend, you also need to worry about snapshot, because when you take a snapshot it also snapshots the current VM memory (or you can tell it to). Therefore you'd probably have to take away snapshot from everyone if you don't want running memory to be 'stored'. That is a much bigger loss to take, I think, because then you cannot snapshot the VM and make changes and be able to go back to a known good state.

I am looking into the groups thing to if that works for me. But I am a little dissapointed that I cannot disable it for a machine.

As I said in my first post I disabled the snapshot possibility by setting the disks in independent mode, which makes the suspend command return an error.

Disabling the script is enough to kill suspend?

But how do I disable this script?

I don't think you mean that I should uncheck the "Run script at suspend option" in the settings.

(I was allready looking at the scripts for a sollution. But my idea was to create a script that kills the server when going into suspend. Which is offcourse is not so nice. And the problem is that the suspend script isn't running when going into suspend. I posted a new topic about this: http://communities.vmware.com/thread/205370)

The script would stop people from suspending from within the VM, but you can still suspend from the ESX console or VirtualCenter server. You would take away the rights to be able to suspend to stop that. I found another option you could also use.That is the 'Alarms' functionality of ESX. I just tried it, and it works. I went into a VM and configured a new alarm that I called 'Disable Suspend'. I set up the alarm to trigger red when the VM state goes to 'Suspend'. I set the action to 'Power on a VM'. You could also add having it send an email. By doing this I was able to suspend the VM, but then it immediately went back to powered on. So it seems like you could do three things:

1) Deal with the VMware tools script from within the VM (although you said that doesn't work anyway)

2) Remove the permissions to be able to suspend from the console

3) Set up a trigger to email you if someone does try to suspend it, and have it immediately go back to powered on.

What I really want is to disable it from the EXS console or Virtual Center. It is not possible to suspend it from within the VM.

I think starting a script when going into suspend would solve my problem. Which is really that the encryption key in the memory would be written to disk when suspending. I can remove this key using a script. So when suspending it would remove the key from memory and therefore solve my problem

But as you said, the scripts don't work. So I need to focus at this.

Does anybody have an idea? Please, I have opened a separate topic about this: http://communities.vmware.com/thread/205370

I don't think you mean that I should uncheck the "Run script at suspend option" in the settings.

Yes, that's exactly what I am saying. But in looking at those settings there is no 'disable' function, so you have to resort to permissions. If someone doesn't have permission they can't do it. It's that simple.

And I don't understand where you say it's not possible to disable suspend. Windows has built in ACPI functionality that by interrogating the hardware, it presents a set of options based upon capability. So this can be changed in the power options. You take away Windows ability to enable these (hibernate, suspend, shutdown, etc..) you effectively prohibit it from suspend. An OS does not inherently suspend by default, it's based upon hardware that's supported. You turn this off, you can't suspend.

So you are trying to remove the capability, which cripples the abilities of VM ware, because at some later date should you want to reverse this decision you have 'broken' future attempts to do so.

You just need to set the permissions from the VIC level AND OS level by disallowing users from suspending (group policy perhaps) and that will take away any and all ability to suspend. The scripts are just passthru to the underlying VM Ware service, that tells it what to do. Once it receives the proper signals, it performs the appropriate function. But if people don't have rights to do this in the first place, there is no way it will 'trickle' down to the OS, which is what you are after.

But the OS CAN be prohibited from suspend. Not only is it possible, but the suspend feature is just that a feature, it's not really part of the OS, it's an option. Options can be turned off.

Suspending from within the virtual machine is not the problem, no one has access. And in the virtual center we have only one user, so we only have one role: the administrator. So removing the suspend permission is not really usefull, an administrator would allways be able to turn it back on (or else you have to completely kill the admin role).

By the way, I was under the impression that when you suspend a virtual machine using virtual center the OS doesn't matter. VMware just stops the server and writes the memory to disk, no matter what the OS can or can't do.

If for some reason I just don't get it, I appologize. In any case I thank you for you help.

By the way, I was under the impression that when you suspend a virtual machine using virtual center the OS doesn't matter. VMware just stops the server and writes the memory to disk, no matter what the OS can or can't do.

Yes, but I was just trying to get you to the ultimate goal to inhibit suspension of the OS. In any case if you got what you needed, great. If not, please let us know thanks.

Honestly I haven't tried to do this myself, but from the OS perspective I routinely disable the 'default' features, because giving more options to people just means they will have that many more things to break.

I am afraid that I haven't got what I wanted. The thank you was just for the replys so far, which is friendly nomather if it solved my problem.

I think the only way to solve my problem is to get the scripts running on suspend. But I do not know where to start troubleshooting. Seeing the responses so far, I think I might not be the only one.

I think I know why the scripts aren't running. To run the suspend

script, the suspend option must be set to Suspend Guest (just with

Shutdown and Shutdown Guest).

But the RHEL5 server I am using doesn't have a suspend option, so I can

not set it to Suspend Guest (I can only choose Suspend) and therefore

the scripts do not run.