Hide Forgot
Description of problem: The current release notes for Satellite 5.6 do not document which level of permissions are required for vSphere when using virt-who. In many cases, the team that provides the virtualization platform is different from the team running RHEL. Having the level of permissions documented will help with getting virt-who (and enhanced reporting) deployed. Version-Release number of selected component (if applicable): 1.3
Help us out - what permissions? I don't have knowledge of VMware to guide docs, so if there is something specific we should add, let us know. Cliff
Created attachment 811167 [details] vSphere Permissions example
vSphere provides the capability of creating a read-only user [http://pubs.vmware.com/vsphere-4-esx-vcenter/index.jsp#managing_users_groups_roles_and_permissions/c_managing_users_groups_roles_and_permissions.html]. Our example use the admin user who is effectively root (he has the 'Administrator' role). Are there any ill-effects of creating and using a read-only user? As I understand it, virt-who shouldn't require more than read-only access (but I don't know if that has been tested).
This bug can be worked on early during the planning stages for Satellite 5.7.
Hi Rich, Thanks for the feedback. We'll have a look at thelevel of permissions required for vSphere when using virt-who. Any changes will be integrated into the documentation for the next release. Thanks, Megan
Updated virt-who instructions in Sat 5.7 docs to note that you should create a read-only user specifically for virt-who's use.
Hi Dan, it is possible to scan multiple vCenter envs from virt-who. It's not possible to do it in /etc/sysconfig/virt-who. There is a directory /etc/virt-who.d/ where multiple config files can be created containing options for more vCenter servers. See man virt-who-config(5).
Thanks, Radek!
Hi Rich, I've pushed these changes live: https://documentation-devel.engineering.redhat.com/site/documentation/en-US/Red_Hat_Satellite/5.7/html/Installation_Guide/chap-Red_Hat_Satellite-Installation_Guide-virt_who.html#sect-Red_Hat_Satellite-Installation_Guide-virt_who-virt_who_Setup There is a new bug related to this issue here: https://bugzilla.redhat.com/show_bug.cgi?id=1188720 Aside from this issue, does the new content reflect what you were after when you opened this bug? - Dan
Hi Rich and Ashish, I've just tested permissions/roles set up for virt-who in vSphere environment. I created new Role using vSphere Web Client completely without any privileges and created new User that I've assigned this role to whole vCenter and virt-who just worked. When I assigned this new role to one cluster and set role to "No access" for other cluster, virt-who reports information only about the cluster it has access to. Could you please ask the customers to try this? I've just tested in my testing environment and it would make me more certain if someone tries that in some real-world scenario.
I'll hold off on verifying this bug until the customers report back.
I've put together draft of a document that explains how to create new user (both in vCenter and in AD) and configure it to use with virt-who. You can check it here: https://rnovacek.fedorapeople.org/virt-who/vsphereperm/ Please let me know if the information is correct and understandable, so we can incorporate it into the official documentation.