Importing or deploying an OVF template fails with the error "A fatal error has occurred. Unable to continue".
search cancel

Importing or deploying an OVF template fails with the error "A fatal error has occurred. Unable to continue".

book

Article ID: 439662

calendar_today

Updated On:

Products

VMware vCenter Server 8.0 VMware vCenter Server

Issue/Introduction

When attempting to import or deploy an OVF template in vCenter Server, the operation fails with a generic UI error: "A fatal error has occurred. Unable to continue".

The following events are seen in the logs:

Log file: /var/log/vmware/vsphere-ui/logs/vSphere-ui-client-virgo.log

[ERROR] tp-nio-127.0.0.1-XXXX-exec-X XXXXXXXX XXXXXX XXXXXX c.v.v.c.p.impl.ProvisioningResourcePoolMutationProvider Failed to fetch file info for PUSH import session with spec :

com.vmware.vsphere.client.provisioning.spec.FileInfoValidationSpec {
  deploymentSpec = com.vmware.vsphere.client.provisioning.spec.DeployOnResourcePoolValidationSpec {
    commonContext = java.lang.Object[]:[]
      com.vmware.vsphere.client.provisioning.workflow.Workflow {
        id = deployVmOnResourcePool
        contextObject = ManagedObjectReference: type = HostSystem, value = host-XXX, serverGuid = XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
      },
    ]
    name = <VM_NAME>
    template = file:///<OVF_TEMPLATE>.ovf
    provisioningTarget = ManagedObjectReference: type = ResourcePool, value = resgroup-XX, serverGuid = XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    host = ManagedObjectReference: type = HostSystem, value = host-XXX, serverGuid = XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    folder = ManagedObjectReference: type = Folder, value = group-vX, serverGuid = XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    sourceType = PUSH_SOURCE
    pushContentType = OVF_SOURCE
    pushOvfOption = MANIFEST_CERTIFICATE
    sslThumbprint = null
    powerOn = false
  }
}

com.vmware.vapi.std.errors.InvalidArgument: InvalidArgument (com.vmware.vapi.std.errors.invalid_argument) => {
    messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
        id = com.vmware.vdcs.util.unhandled_error,
        defaultMessage = An error occurred: future must be done,
        args = [future must be done],
        params = <null>,
        localized = <null>
    }],
    data = <null>,
    errorType = INVALID_ARGUMENT
}

Log file: /var/log/vmware/content-library/cls.log

| ERROR    | XXXXXXXX-XXX-auto-XX-XX:XXXXXXXX-XX-XX-XX | cls-simple-activity-XX | EnsureTaskRegisteredActivity |

Cannot change state for ManagedObjectReference: type = Task, value = task-XXXXXX, serverGuid = XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX from queued to running.

Runtime error reported for task.setState (vim.fault.NoPermission) {
   faultCause = null,
   faultMessage = null,
   object = ManagedObjectReference: type = HostSystem, value = host-XXX, serverGuid = XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,
   privilegeId = Task.Update,
   missingPrivileges = (vim.fault.EntityPrivileges) [
      (vim.fault.EntityPrivileges) {
         dynamicType = null,
         dynamicProperty = null,
         entity = ManagedObjectReference: type = Task, value = task-XXXXXX, serverGuid = XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,
         privilegeIds = (STRING) [
            Task.Update
         ]
      }
   ]
}. retrying...

| ERROR    | XXXXXXXX-XXX-auto-XX-XX:XXXXXXXX-XX-XX-XX | cls-simple-activity-XX | SimpleActivityWorker |

Exception will not be handled by activity EnsureTaskRegisteredActivity (handle=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, entityId=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX):

Future future is registered but not done
java.lang.IllegalStateException: Future future is registered but not done

| ERROR    | XXXXXXXX-XXX-auto-XX-XX:XXXXXXXX-XX-XX-XX | cls-simple-activity-XX | CompleteTaskActivity |

Failed to set state for task: taskId=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, state=ERROR, error is Permission to perform this operation was denied.. Retry in XX,XXX ms. X attempt(s) left

java.util.concurrent.ExecutionException: (vim.fault.NoPermission) {
   faultCause = null,
   faultMessage = null,
   object = ManagedObjectReference: type = HostSystem, value = host-XXX, serverGuid = XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,
   privilegeId = Task.Update,
   missingPrivileges = (vim.fault.EntityPrivileges) [
      (vim.fault.EntityPrivileges) {
         dynamicType = null,
         dynamicProperty = null,
         entity = ManagedObjectReference: type = Task, value = task-XXXXXX, serverGuid = XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,
         privilegeIds = (STRING) [
            Task.Update
         ]
      }
   ]
}

        at com.vmware.vim.vmomi.core.impl.BlockingFuture.get(BlockingFuture.java:XX)
        at com.vmware.vcloud.activity.futures.SerializableFuture.from(SerializableFuture.java:XX)
        at com.vmware.vcloud.activity.toolkit.simple.SimpleActivity.setupCompletedFutures(SimpleActivity.java:XXX)
        at com.vmware.vcloud.activity.toolkit.simple.executor.SimpleActivityWorker.executePhase(SimpleActivityWorker.java:XXX)
        at com.vmware.vcloud.activity.toolkit.simple.executor.SimpleActivityWorker.executeActivity(SimpleActivityWorker.java:XXX)
        at com.vmware.vcloud.activity.toolkit.simple.executor.SimpleActivityWorker.run(SimpleActivityWorker.java:XXX)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:XXX)
        at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:XXX)
        at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:XX)
        at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:XX)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:XXXX)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:XXX)
        at java.lang.Thread.run(Thread.java:XXX)

Caused by: com.vmware.vim.binding.vim.fault.NoPermission: Permission to perform this operation was denied.

Environment

vCenter Server 8.x

Cause

The vpxd-extension solution user is part of manually created groups that do not have the required Task.Update privilege, and one of these groups is restricting its permissions.

Resolution

  • Check the group membership of the vpxd-extension user from vpxd.log:
    • info vpxd[XXXXXXX] [Originator@XXXX sub=User opID=XXXXXXXX] Login token: SamlToken [subject={Name: vpxd-extension-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX; Domain:vsphere.local}, groups=[{Name: Users; Domain:vsphere.local}, {Name: SolutionUsers; Domain:vsphere.local}, {Name: SystemConfiguration.Administrators; Domain:vsphere.local}, {Name: ActAsUsers; Domain:vsphere.local}, {Name: ComponentManager.Administrators; Domain:vsphere.local}, {Name: AnalyticsService.Administrators; Domain:vsphere.local}, {Name: LicenseService.Administrators; Domain:vsphere.local}, {Name: ServiceProviderUsers; Domain:vsphere.local}, {Name: vStatsGroup; Domain:vsphere.local}, {Name: Virtual Machine User; Domain:vsphere.local}, {Name: Everyone; Domain:vsphere.local}], delegationChain=[], startTime=XXXX-XX-XX XX:XX:XX.XXX, endTime=XXXX-XX-XX XX:XX:XX.XXX, renewCount=0, delegableCount=0, isSolution=true, type=Saml_HOK]

  • The vpxd-extension solution user should only be part of the following default groups:

    • Users
    • SolutionUsers
    • SystemConfiguration.Administrators
    • ActAsUsers
    • ComponentManager.Administrators
    • AnalyticsService.Administrators
    • LicenseService.Administrators
    • ServiceProviderUsers
    • vStatsGroup
    • Everyone
  • If the vpxd-extension user or the ActAsUsers group is added to any manually created/custom group (for example: Virtual Machine User), and that group has restricted permissions, it can override required privileges.
  • Remove vpxd-extension user or the ActAsUsers from such custom groups (e.g., Virtual Machine User)
Powered by Wolken Software