Modifying a cloud-init GuestInfo variable value from the guest OS fails with "Permission denied" error

search cancel

Modifying a cloud-init GuestInfo variable value from the guest OS fails with "Permission denied" error

book

Article ID: 377267

calendar_today

Updated On:

Products

VMware vSphere ESXi 8.0

Issue/Introduction

"Permission denied" error is returned when setting cloud-init GuestInfo variables value using "vmware-rpctool" or "vmtoolsd --cmd" on Linux guests, or using "rpctool.exe" or "vmtoolsd.exe --cmd" on Windows guests.
A "Permission denied for setting key" log statement present in the virtual machine log file, of the form:
yyyy-mm-ddThh:mm:ss.msZ In(05) vmx - GuestRpc: Permission denied for setting key {GuestInfo-variable-name}.

Where "GuestInfo-variable-name" is one of the cloud-init GuestInfo variable names.

Note: We use the term "cloud-init" in this article to reference cloud-init,cloudbase-init and similar post-boot guest configuration mechanism that use the GuestInfo variables discussed herein.
Note: A cloud-init GuestInfo variable is one of
- guestinfo.metadata
- guestinfo.userdata
- guestinfo.vendordata
- guestinfo.metadata.encoding
- guestinfo.userdata.encoding
- guestinfo.vendordata.encoding

Environment

VMware ESXi 8.0 U3b

Cause

The issue can be caused when setting cloud-init GuestInfo variables values is denied to regular users (non-admin/non-root) based on VM settings

When:

vmware-rpctool on Linux or "rpctool.exe" on Windows is used to set a cloud-init GuestInfo variable value using the "info-set" command, to a value that is not allowed for regular users.
"vmtoolsd --cmd" on Linux or "vmtoolsd.exe --cmd" on Windows is used by a regular user (non-admin/non-root) to set a cloud-init GuestInfo variable value using the "info-set" command, to a value that is not allowed for regular users.

Note 1: cloud-init GuestInfo variables and their values allowed to be set by regular users:

GuestInfo variable name	Allowed value to set by regular users
`guestinfo.metadata`	"---" (three hyphen characters)
`guestinfo.userdata`	"---" (three hyphen characters)
`guestinfo.vendordata`	"---" (three hyphen characters)
`guestinfo.metadata.encoding`	" " (single space character)
`guestinfo.userdata.encoding`	" " (single space character)
`guestinfo.vendordata.encoding`	" " (single space character)

Note 2 : A "Permission denied" error can also be caused by the "guest_rpc.rpci.auth.cmd.info-set" VM parameter being set to TRUESee KB - Accessing or modifying a GuestInfo variable value from the guest OS fails with "Permission denied" error

Resolution

When modifying a cloud-init GuestInfo variable value returns the "Permission denied" error, perform one of the below:

- Use the "vmtoolsd --cmd" on Linux or "vmtoolsd.exe --cmd" on Windows as an administrator or root user

- Set "guest_rpc.auth.cloud-init.set" value to FALSE in the VM configuration.

Additional Information

Accessing or modifying a GuestInfo variable value from the guest OS fails with "Permission denied" error

Feedback

thumb_up Yes

thumb_down No