Error "An error occurred while starting service 'updatemgr'" when starting vmware-updatemgr service
search cancel

Error "An error occurred while starting service 'updatemgr'" when starting vmware-updatemgr service

book

Article ID: 390588

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Update manager service fails to start with below error message. 

# service-control --start vmware-updatemgr

Operation not cancellable. Please wait for it to finish...
Performing start operation on service updatemgr...
Error executing start on service updatemgr. Details {
    "detail": [
        {
            "id": "install.ciscommon.service.failstart",
            "translatable": "An error occurred while starting service '%(0)s'",
            "args": [
                "updatemgr"
            ],
            "localized": "An error occurred while starting service 'updatemgr'"
        }
    ],
    "componentKey": null,
    "problemId": null,
    "resolution": null
}
Service-control failed. Error: {
    "detail": [
        {
            "id": "install.ciscommon.service.failstart",
            "translatable": "An error occurred while starting service '%(0)s'",
            "args": [
                "updatemgr"
            ],
            "localized": "An error occurred while starting service 'updatemgr'"
        }
    ],
    "componentKey": null,
    "problemId": null,
    "resolution": null
}
  • /var/log/vmware/vmware-updatemgr/refreshCerts-utility.log
[YYYY-MM-DD HH:MM:SS,411 INFO] Updating VUM extension with VC
[YYYY-MM-DD HH:MM:SS,437 ERROR] Failed to update extension com.vmware.vcIntegrity with VC. Reason: (vim.fault.NoPermission) {
   dynamicType = <unset>,
   dynamicProperty = (vmodl.DynamicProperty) [],
   msg = 'Permission to perform this operation was denied.',
   faultCause = <unset>,
   faultMessage = (vmodl.LocalizableMessage) [],
   object = 'vim.Folder:group-d1',
   privilegeId = 'Extension.Update',
   missingPrivileges = (vim.fault.NoPermission.EntityPrivileges) []
}
  • From journalctl.log
MMM DD TT:MM:SS vcenterfqdn vpxd[7325]: Event [964626122] [1-1] [YYYY-MM-DDTHH:MM:SS] [vim.event.EventEx] [warning] [] [] [964626122] [Privilege check failed for user VSPHERE.LOCAL\vpxd-extension-xxxxxxx for missing permission Extension.Update. Session user performing the check: ]
MMM DD TT:MM:SS vcenterfqdn vpxd[7325]: Event [964627123] [1-1] [YYYY-MM-DDTHH:MM:SS] [vim.event.EventEx] [warning] [] [] [964626122] [Privilege check failed for user VSPHERE.LOCAL\vpxd-extension-xxxxxxx for missing permission Extension.Update. Session user performing the check: ]
  • Update manager uses the vpxd-extension solution user to register the extension with VPXD. This user doesn't seem to have the `Extension.Update` privilege needed for registering the extension.

cat vmdird-syslog.log | grep -A 5 -B 5 'DOMAIN.LOCAL\\vpxd-extension-'

YYYY-MM-DDTHH:MM:SS.471751+00:00 info vmdird  t@139650358294272: MOD 1,rep,vmwAuthzDocUri: (urn:acl:global:permissions)
YYYY-MM-DDTHH:MM:SS.471823+00:00 info vmdird  t@139650358294272: MOD 2,rep,vmwAuthzPrincipalName: (DOMAIN.LOCAL\vpxd-extension-XXXXXXX-XXXXXXX-XXXXXXX)
YYYY-MM-DDTHH:MM:SS.471855+00:00 info vmdird  t@139650358294272: MOD 3,rep,vmwAuthzPrincipalGroup: (FALSE)
YYYY-MM-DDTHH:MM:SS.471885+00:00 info vmdird  t@139650358294272: MOD 4,rep,vmwAuthzPermissionVersion: (7)
YYYY-MM-DDTHH:MM:SS.471908+00:00 info vmdird  t@139650358294272: MOD 5,rep,vmwAuthzPermissionPropagate: (TRUE)
YYYY-MM-DDTHH:MM:SS.471935+00:00 info vmdird  t@139650358294272: MOD 6,rep,vmwAuthzPermissionRoleId: (2005112957)
YYYY-MM-DDTHH:MM:SS.473192+00:00 info vmdird  t@139650358294272: Modify Entry (cn=DOMAIN.LOCAL%5Cvpxd-extension-XXXXXXX-XXXXXXX-XXXXXXX@false@urn%3Aacl%3Aglobal%3Apermissions,cn=AclModel,cn=VmwAuthz,cn=services,dc=Wellington,dc=local, EID 3028)(from 127.0.0.1)(by vCenter_FQDN@domain.local)(via Ext)(USN 11742,0)

 

Environment

  • VMware vCenter server 7.X
  • VMware vCenter server 8.X

Cause

The user vpxd-extension-<Machine-ID> has been assigned a custom role that lacks the Extension.Update privilege. By default, this user is assigned the Administrator role.

Resolution

Change the role of the vpxd-extension-<Machine-ID> user to Administrator in Global Permissions via the vSphere Client.

Steps:

  1. Log in to the vSphere Client.

  2. Navigate to Administration > Global Permissions.

  3. Select the vpxd-extension-<Machine-ID> user.

  4. Click Edit, and change the role to Administrator.

  5. Save the changes.

Next, restart the vCenter Server services. Refer to the following article for instructions:

Stop, Start, or Restart Services on vCenter Server 7.x/8.x

Additional Information

Additionally, check the solution user's permissions on the vCenter and cluster objects to ensure the correct roles are being inherited.

For example, granting Administrator role at the vCenter level but restricting them to Read-Only at the cluster level to a solution user causes the lower-level restrictive role to take effect, which can generate privilege warnings for that specific cluster.