Investigating power on permissions for ESX/ESXi virtual machines

Products

VMware VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Symptoms:

Unable to power on a virtual machine.
When trying to connect to the console of a virtual machine from vCenter Server/VirtualCenter you receive the error:

Error connecting: You need execute access in order to connect with the VMware console. Access denied for config file

Environment

VMware ESX 4.0.x
VMware ESXi 4.0.x Embedded
VMware vCenter Server 5.0.x
VMware ESX Server 3.5.x
VMware ESXi 3.5.x Embedded
VMware VirtualCenter 2.5.x
VMware vSphere ESXi 5.0
VMware vCenter Server 4.1.x
VMware ESXi 4.0.x Installable
VMware ESXi 4.1.x Installable
VMware ESXi 4.1.x Embedded
VMware ESXi 3.5.x Installable
VMware ESX 4.1.x
VMware vCenter Server 4.0.x

Resolution

vCenter Server/VirtualCenter Permissions

Permissions can be set in vCenter Server/VirtualCenter to control Power On operations with virtual machine.

To check if there are sufficient permissions set in vCenter Server/VirtualCenter:

Connect to the vCenter Server/VirtualCenter using vSphere Client/Virtual Infrastructure Client.
Log in as an user with administrator privileges.
Select the Datacenter and click Permissions.
Check if the user account used to log in has at least read-only rights at this level.
Click on the ESX/ESXi host where the virtual machine resides and click the Permissions tab.
Check if the user account used to log in has Virtual Machine user rights at that level.
Check to make sure that the user is not part of a group that has been assigned a restrictive role. This could limit privileges in parts of the inventory hierarchy.

ESX/ESXi File System Permissions

Permissions on configuration files (.vmx ) and their affects on virtual machine functionality

The permissions set on the configuration file (.vmx ) of the virtual machine affect how other users on the system can start the virtual machine, shut it down, or view it in the management interface.

Read (r)
Users can see the virtual machine in the management interface.
Read and Execute (r x)
Users can:
o Start, stop, reset, and suspend the virtual machine through the management interface, remote console, and API.
o Access the configuration files of the virtual machine as read only.
Read and Write (r w)
Users can:
o Access the virtual machine from the management interface.
o View the details and event logs.
o Configure the virtual machine and save the changes through the management interface.
o Connect to a virtual machine via API.
o From the command-line interface, access and modify the files that make up the virtual machine.

Users cannot:
o Connect to the virtual machine through the remote console.
o Control the power to the virtual machine.
Read Write and Execute (r w x)
Users have full access to act on and modify the virtual machine.

Note: All the directories leading to the .vmx file must have execute permissions for the particular area (user, group, or others) for the changes to be valid and for users to access it. Unix file permissions cannot cover all possibilities, such as granting only remote console access for a user. Consider using vCenter Server/VirtualCenter for a specific and more elaborate permission set.

Known Issues

When trying to connect to the console of a virtual machine from vCenter Server/VirtualCenter:

Error connecting: You need execute access in order to connect with the VMware console. Access denied for config file.

Resolution: Check the permissions for the virtual machines configuration file.

By default a virtual machine has the following permissions set:

-rw-r--r-- 1 root root 1821 Feb 28 18:13 vm1.vmx

Run 'chmod 755 /vmfs/volumes/<Datastore>/vm/vm.vmx' where <Datastore> is the volume that the virtual machine is located on.

When you perform 'chmod 755 filename' command you allow everyone to read and execute the file, owner is allowed to write to the file as well.

-rwxr-xr-x 1 root root 1821 Feb 28 18:13 vm1.vmx

Additional Information

调查打开 ESX/ESXi 虚拟机电源的权限