VMware vSphere & Foreman: What roles does Foreman need to provision & manage systems?

I am testing out Foreman 1.6 with VMware vSphere 5.5, following the notes
here: Foreman :: Manual .

I have created the Foreman user within vSphere aand the Foreman user can
log in, can view some information about the VMs and can even power off &
power on the VMs.

When I create a new host, I get a standard permissions error:

Unable to save
Failed to create a compute vcenter.example.com (VMWare) instance
host13.example.org: failed to create vm: NoPermission: Permission to
perform this operation was denied.
In VMware vSphere, I can grant various roles to Foreman or to the Foreman
What roles does the Foreman user need in order to create VMs and manage the
lifecycle of the VMs? Is this written down anywhere?

Thank you,

-= Stefan

Hopefully you can see the image. That's the permissions I gave to my
foreman user.


Thanks Zach.

I also see these permissions for the Puppet Enterprise Cloud Provisioning
system, which is a similar idea to Foreman. I tried these and I'm still
getting NoPermission errors.


Provisioning With VMware

  1. Permissions Required for Provisioning with VMWare
  2. Listing VMware vSphere Instances
  3. Creating a New VMware Virtual Machine
  4. Starting, Stopping and Terminating VMware Virtual Machines
  5. Getting more help

Puppet Enterprise provides support for working with VMware virtual machine
instances using vSphere and vCenter. Using actions of the puppet node_vmware
sub-command, you can create new machines, view information about existing
machines, classify and configure machines, and tear machines down when
they’re no longer needed.

The main actions used for vSphere cloud provisioning include:

  • puppet node_vmware list for viewing existing instances
  • puppet node_vmware create for creating new instances
  • puppet node_vmware terminate for destroying no longer needed instances.

Note: The command puppet node_vmware assumes that data centers are
located at the very top level of the inventory hierarchy. Any data centers
deeper down in the hierarchy (and in effect all objects hosted by these
data centers) are ignored by the command.

Here’s a fix:

  1. Move the data centers hosting the involved VMs/templates to the top
    level of the inventory hierarchy. This can be a temporary move.
  2. Perform the desired node_vmware actions. Both puppet node_vmware and puppet
    node_vmware create should see the VMs/templates hosted on the moved data
  3. Move the data centers back, if desired.

If you’re new to VMware vSphere, you should start by looking at the vSphere
documentation <http://pubs.vmware.com/vsphere-50/index.jsp>.
Permissions Required for Provisioning with VMWare

The following are the permissions needed to provision with VMWare, listed
according to subcommand. In addition, you should have full admin access to
your vSphere pool.

  • list – Lists any VM with read-only permissions or better.
  • find – Requires read-only permissions or better on the target data
    center, data store, network, or computer, as well as the full VM folder
    path that contains the VM in question.
  • start – Requires find permissions + VirtualMachine.Interact.PowerOn on
    the VM in question.
  • stop – Requires find permissions + VirtualMachine.Interact.PowerOff on
    the VM in question.
  • terminate – Requires find permissions + VirtualMachine.Inventory.Remove
    on the VM in question and its parent folder.
  • create – Requires find permissions +
    VirtualMachine.Inventory.CreateFromExisting on the template in question,
    as well as Datastore.AllocateSpace on the target data store, and
    Resource.AssignVMToPool on the target resource pool (the target cluster
    in non-DRS enabled vCenters).

-= Stefan

··· On Friday, November 21, 2014 8:06:22 AM UTC-8, Zachary Herner wrote: > > Hopefully you can see the image. That's the permissions I gave to my > foreman user. > > > > > > > >

Your environment is probably different from mine. You'll have to
selectively add permissions as needed. If you use the VDS you'll need add
permissions for that, same goes for datastore cluster, etc.

Depending where you're at with your troubleshooting you may try assigning
an admin role to rule out permissions.