applmgmt service Fails to Start on vCenter Server Due to Modified applmgmtSvcRole Name
search cancel

applmgmt service Fails to Start on vCenter Server Due to Modified applmgmtSvcRole Name

book

Article ID: 426816

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

applmgmt service fails to start with error.

service-control log:

root@VCFQDN[ ~ ]# service-control --start applmgmt
Operation not cancellable. Please wait for it to finish...
Performing start operation on service applmgmt...
Error executing start on service applmgmt. Details {
 "detail": [
 {
 "id": "install.ciscommon.service.failstart",
 "translatable": "An error occurred while starting service '%(0)s'",
 "args": [
 "applmgmt"
 ],
 "localized": "An error occurred while starting service 'applmgmt'"
 }
 ],

/var/log/vmware/vmon/vmon.log: 

<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: Traceback (most recent call last):
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: File "/usr/lib/applmgmt/support/scripts/create_svc_account.py", line 80, in <module>
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: main()
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: File "/usr/lib/applmgmt/support/scripts/create_svc_account.py", line 75, in main
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: setup_service_account(args.account, user_perm = args.userPerm,
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: File "/usr/lib/vmware/site-packages/cis/svcaccount_prestart_util.py", line 607, in setup_service_account
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: svcaccount.config_groups(name, groups)
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: File "/usr/lib/vmware/site-packages/cis/svcaccount_prestart_util.py", line 195, in config_groups
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: self.set_permission(roles, group, is_group=True)
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: File "/usr/lib/vmware/site-packages/cis/svcaccount_prestart_util.py", line 89, in wrapper_retry
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: return func(*args, **kwargs) # Last attempt, let any exception propagate
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: File "/usr/lib/vmware/site-packages/cis/svcaccount_prestart_util.py", line 217, in set_permission
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: authz_client.set_permission(domain_name, permission, principal_name,
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: File "/usr/lib/vmware/site-packages/cis/cisreglib.py", line 748, in set_permission
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: ac = self.create_access_control(principal, rolenames,
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: File "/usr/lib/vmware/site-packages/cis/cisreglib.py", line 728, in create_access_control
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: role_ids.append(role_objs_dict[rolename])
<timestamp> Wa(03)+ host-1301930
<timestamp> Wa(03) host-1301930 <applmgmt> Service pre-start command's stderr: KeyError: 'applmgmtSvcRole'
<timestamp> Wa(03)+ host-1301930
<timestamp> Er(02) host-1301930 <applmgmt> Service pre-start command failed with exit code 1.
<timestamp> Wa(03) host-1301930 [ReadSvcSubStartupData] No startup information from applmgmt.

Environment

vCenter Server

Cause

The issue occurs when the built-in vCenter authorization role applmgmtSvcRole has been manually renamed.

The applmgmt service depends on the role name applmgmtSvcRole during first boot and service registration to:

  • Register the applmgmt service
  • Assign the SyncUsers role
  • Apply global permissions

If the vmwAuthzRoleName attribute for role ID 2000 is modified, the applmgmt service is unable to locate the expected role name and, as a result, fails to start.

To verify whether the vmwAuthzRoleName has been modified, run the following command from an SSH (PuTTY) session to the vCenter Server.

Note:

  • Update the SSO domain if it differs from vsphere.local
  • Replace <SSO_PWD> with the correct SSO Administrator password
ldapsearch -o ldif-wrap=no -LLL -H ldap://localhost -b "cn=2000,cn=RoleModel,cn=VmwAuthz,cn=Services,dc=vsphere,dc=local" -s sub -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w '<SSO_PWD>' vmwAuthzRoleName

 

If the output shows a role name other than applmgmtSvcRole, the role has been modified and will prevent the applmgmt service from starting.

Resolution

Take a snapshot of vCenter Server.

SSH to the affected vCenter Server.

Rename the role back to the expected value using LDAP modification: (Update the SSO domain if it differs from vsphere.local)

/opt/likewise/bin/ldapmodify -x -h localhost -p 389 -D 'cn=Administrator,cn=Users,dc=vsphere,dc=local' -W << EOF
dn: cn=2000,cn=RoleModel,cn=VmwAuthz,cn=services,dc=vsphere,dc=local
changetype: modify
replace: vmwAuthzRoleName
vmwAuthzRoleName: applmgmtSvcRole
EOF

Restart all vCenter services : 

service-control --stop --all && service-control --start --all

 

After restoring the correct role name and restarting services, the applmgmt service should start successfully.

Powered by Wolken Software