VCP precheck/check compliance fails if any internal users' permissions are present in the desired configuration
search cancel

VCP precheck/check compliance fails if any internal users' permissions are present in the desired configuration

book

Article ID: 369696

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

After upgrading from ESXi host 8.0.x to 8.0 U3, the VCP check compliance/precheck APIs might fail due to the presence of certain disallowed internal users' permissions in the desired config document.

Configuration precheck/compliance will fail when users create a new draft with the below errors.

In the UI, the error may display:

Compliance check failed or skipped on '10.x.x.x'

/profile/esx/authorization/permissions/3/principal
Validation plugin error: Invalid value 'dcui'.

 

In the /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log:

Task Failed. Error: Error:
--> com.vmware.vapi.std.errors.error
--> Messages:
--> com.vmware.vcIntegrity.lifecycle.ConfigurationCheckComplianceTask.Failure<Compliance check failed or sk
ipped on '10.x.x.x'.>
-->

Task Failed. Error: Error:
--> com.vmware.vapi.std.errors.error
--> Messages:
--> com.vmware.vcIntegrity.lifecycle.DraftConfigurationPrecheckTask.Failure<Draft configuration Precheck ta
sk failed or skipped on '10.x.x.x'.>
-->

Environment

VMware vCenter Server 8.0 U3

Cause

In pre-8.0 U3 ESXi, certain internal users' permissions were considered user configurations. As a result, a desired document generated using such hosts would include these configurations. However, in ESXi 8.0 U3, these internal configurations are no longer treated as user configurations, and validation checks have been implemented to prevent them.

If the desired document had the below internal users' permissions, they would cause validation errors in ESXi 8.0 U3:

  • baremetal
  • esximgmt
  • da-user
  • dcui
  • lldpVim-user
  • mux_user
  • nsx-user
  • nsxuser
  • vpxuser
  • vxpsvc_ptagent_op
  • waiter

Resolution

There is no resolution at this time.

As a workaround, perform one of the two options.

Option 1:

  1. In the vCenter UI, select the Cluster.
  2. Click on the Configure tab.
  3. Click on Desired State > Configuration.
  4. Click on Create draft.
  5. Remove the problem causing internal users' permissions from the draft config document.
  6. Click on Apply.


Option 2:

  1. In the vCenter UI, select the Cluster -> Configure -> Configuration -> Draft -> Import from ESXi 8.0U3 host. 
  2. In the vCenter UI, select the Cluster.
  3. Click on the Configure tab.
  4. Click on Desired State > Configuration.
  5. Click on the Draft tab.
  6. Select Import from host.
  7. Select an ESXi 8.0 U3 host for cluster.
  8. Click Import.

Note: This will not import the internal users' permissions and will allow any new configuration to be applied.

Powered by Wolken Software