Checking Configuration Profiles compliance/pre-check fails with error: Invalid value "vslauser" or "vpxuser"
search cancel

Checking Configuration Profiles compliance/pre-check fails with error: Invalid value "vslauser" or "vpxuser"

book

Article ID: 311912

calendar_today

Updated On:

Products

VMware vSphere ESXi 8.0 VMware vCenter Server 8.0

Issue/Introduction

Trying to configure cluster "desired state" and during "draft pre checks", might get below errors.

  • After ESXi host upgrade to ESXi 8.0 U3 or higher versions, Configuration Profiles compliance/pre-check fails due to the presence of certain disallowed internal users' permissions in the desired configuration.
  • This issue will only be present in ESXi 8.x hosts upgraded to ESXi 8.0U3 and higher.
  • If the desired configuration had the following internal users' permissions, they would cause validation errors in ESXi 8.0U3:

    vpxuser,dcui,nsx-user,da-user,nsxuser,mux_user,lldpVim-user,vxpsvc_ptagent_op,esximgmt,baremetal,waiter.

  • Configuration precheck/compliance will fail when users create a new draft with the below errors in UI :

  • Invalid value "vslauser" 


  • Compliance check failed or skipped on 'x.x.x.x'

    /profile/esx/authorization/permissions/3/principal
    Validation plugin error: Invalid value 'dcui'.

  • Log file /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log will show entries similar to :

    Task Failed. Error: Error:
    -->    com.vmware.vapi.std.errors.error
    --> Messages:
    -->    com.vmware.vcIntegrity.lifecycle.ConfigurationCheckComplianceTask.Failure<Compliance check failed or skipped on 'x.x.x.x'.>
    -->

    Task Failed. Error: Error:
    -->    com.vmware.vapi.std.errors.error
    --> Messages:
    -->    com.vmware.vcIntegrity.lifecycle.DraftConfigurationPrecheckTask.Failure<Draft configuration Precheck task failed or skipped on 'x.x.x.x'.>
    -->

 

Cause

In pre-8.0U3 ESXi, certain internal users' permissions were considered user configurations. As a result, a desired configuration generated using such hosts would include these configurations. However, ESXi 8.0U3 no longer treat these internal configurations as user configurations and have implemented validation checks to prevent them.

 

Resolution

This issue is resolved in ESXI 8.0U3,

To workaround this issue, follow any of below options :

Option 1 (remove the internal users permissions from the draft:

Cluster -> Configure -> Configuration -> Create draft -> Remove the problem causing internal users' permissions from the draft config document and apply.


Option 2 (import from ESXi 8.0 U3 host):

Cluster -> Configure -> Configuration -> Draft -> Import from ESXi 8.0U3 host.

This will not import the internal users' permissions and will allow any new configuration to be applied.

Option 3 (create vslauser and remove it):

  • esxcli system account add -i vslauser -p -c
  • esxcli system account remove -i vslauser
Powered by Wolken Software