Patching vCenter Server 8.0 U3 may report a failure with "Exception occurred in postInstallHook for wcp:patch"
search cancel

Patching vCenter Server 8.0 U3 may report a failure with "Exception occurred in postInstallHook for wcp:patch"

book

Article ID: 426162

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Patching vCenter Server Appliance (VCSA) via VAMI reports a failure for postInstallHook:



  • Error from /var/log/vmware/applmgmt/PatchRunner.log:

    [YYYY-MM-DDTHH:MM:SS] wcp:Patch ERROR wcp Failed to apply patch %s! Error: %s.
    [YYYY-MM-DDTHH:MM:SS] wcp:Patch ERROR wcp Not all patches were applied. Latest applied patch is 1
    [YYYY-MM-DDTHH:MM:SS] wcp:Patch ERROR vmware_b2b.patching.executor.hook_executor Patch hook 'wcp:Patch' failed.
    Traceback (most recent call last):
      File "/storage/updatemgr/software-update4vneeiai/stage/scripts/patches/py/vmware_b2b/patching/executor/hook_executor.py", line 74, in executeHook
        executionResult = systemExtension(args)
      File "/storage/updatemgr/software-update4vneeiai/stage/scripts/patches/libs/sdk/extensions.py", line 106, in __call__
        result = self.extension(*args)
      File "/storage/updatemgr/software-update4vneeiai/stage/scripts/patches/libs/sdk/extensions.py", line 123, in _func
        return func(*args)
      File "/storage/updatemgr/software-update4vneeiai/stage/scripts/patches/payload/components-script/wcp/__init__.py", line 225, in doPatching
        doIncrementalPatching(current_version)
      File "/storage/updatemgr/software-update4vneeiai/stage/scripts/patches/payload/components-script/wcp/__init__.py", line 343, in doIncrementalPatching
        raise user_error
    patch_errors.UserError: Failed to apply patch roles_groups_users! Error: Role CNS-SUPERVISOR-DATASTORE (id: 1090) not found in VC..
    [YYYY-MM-DDTHH:MM:SS] WARNING root stopping status aggregation...
    [YYYY-MM-DDTHH:MM:SS] ERROR __main__ Patch vCSA failed
    [YYYY-MM-DDTHH:MM:SS] ERROR __main__ Discovery of vCSA patching components failed

  • Entries in /var/log/vmware/vpxd-svcs/authz-event.log

    [YYYY-MM-DDTHH:MM:SS] [tomcat-exec-63 [] INFO  AuthorizationService.AuditLog  opId=] Action performed by principal(name=VSPHERE.LOCAL\Administrator,isGroup=false):Delete role 1090

    [YYYY-MM-DDTHH:MM:SS] [authz-service-1 [] INFO  AuthorizationService.AuditLog  opId=6477e68b] Action performed by principal(name=VSPHERE.LOCAL\vpxd-3dc5806b-ff79-4ac3-a456-7f7642bfdd66,isGroup=false):Update role Id=1671862448,Name=CNS-SUPERVISOR-DATASTORE,Description=,Tenant=Privileges=null

Environment

vCenter Server 8.0 U3

Cause

This issue occurs when CNS role is deleted from the vCenter and manually created. This will cause the role ID to be random value and not what is pre-defined in vCenter for the all CNS roles.

Resolution

  • Export the LDIF by running

    ldapsearch -o ldif-wrap=no -LLL -h localhost -b "cn=RoleModel,cn=VmwAuthz,cn=Services,dc=vsphere,dc=local" -s sub -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w 'Password' > /var/tmp/role.ldif 

    and check the role ID of the required role CNS-SUPERVISOR-DATASTORE in this case, below is how the content will look


    # 1671862448, RoleModel, VmwAuthz, services, vsphere.local
    dn: cn=1671862448,cn=RoleModel,cn=VmwAuthz,cn=services,dc=vsphere,dc=local
    nTSecurityDescriptor:: AQAHhBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAAA36Q9olfcOpBU
     NQwPGnOHx9AEAAAEGAAAAAAAHFQAAADfpD2iV9w6kFQ1DA8ac4fEgAgAAAgDAAAUAAAAAEygAMwAG
     IAEGAAAAAAAHFQAAADfpD2iV9w6kFQ1DA8ac4fH0AQAAABMoADMABiABBgAAAAAABxUAAAA36Q9ol
     fcOpBUNQwPGnOHxIAIAAAATKAAzAAYgAQYAAAAAAAcVAAAAN+kPaJX3DqQVDUMDxpzh8QACAAAAEy
     gAMwAGAAEGAAAAAAAHFQAAADfpD2iV9w6kFQ1DA8ac4fEDAgAAABMYADAAAAABAgAAAAAAByAAAAC
     aAgAA
    vmwAuthzRolePrivilegeId: System.Anonymous
    vmwAuthzRolePrivilegeId: System.Read
    vmwAuthzRolePrivilegeId: System.View
    vmwAuthzRolePrivilegeId: Datastore.FileManagement
    vmwAuthzRolePrivilegeId: Datastore.AllocateSpace
    vmwAuthzRoleVersion: 0
    vmwAuthzRoleName: CNS-Datastore
    vmwAuthzRoleDescription:: QWxsb3dzIHBlcmZvcm1pbmcgcmVhZCwgd3JpdGUsIGRlbGV0ZSwg
     YW5kIHJlbmFtZSBvcGVyYXRpb25zIGluIHRoZSBkYXRhc3RvcmUgYnJvd3Nlci4g
    objectClass: top
    objectClass: vmwAuthzRole
    cn: 1671862448

    As we can see the role ID is expected to be 1090 but it is 1671862448.

    Note: /usr/lib/vmware-wcp/csi-roles.xml has the CNS roles with the role IDs that are pre-defined.

  • To fix this:
    • Take a snapshot of the VC 
    • Delete the CNS role with the invalid role ID by running: 

      ldapdelete -H ldap://localhost -D "cn=administrator,cn=users,dc=vsphere,dc=local" -w "<password>" "cn=-1671862448,cn=RoleModel,cn=VmwAuthz,cn=services,dc=vsphere,dc=local"

    • Now run the script from Manually Synchronize WCP  but updating the script in resolution step 2 to 

      # cat <<EOF >>/usr/lib/vmware-wcp/py-modules/roles.py
      import featureState
      from roles_groups_users_utils import Authz

      if __name__ == "__main__":
          authz_patch = Authz()

      authz_patch.ensure_roles_exist('/usr/lib/vmware-wcp/csi-roles.xml')

      we will use csi-roles.xml instead of roles.xml

    •  You will now see that role has been added.

  • Once this is done you can validate the role ID by regenerating the LDIF file using above steps.
  • You can now retry the patch.
Powered by Wolken Software