iSharkFly-Docs
/
packer-cn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

document vsphere role permissions needed to run post-processors.

This commit is contained in:
Megan Marsh 2020-08-10 11:21:28 -07:00
parent c0757a1bba
commit 5f119a5464
2 changed files with 69 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
website/pages/docs/post-processors/vsphere-template.mdx
View File

@ -118,3 +118,42 @@ will upload the artifact to a vSphere endpoint. The resulting artifact is then
passed on to the `vsphere-template` post-processor which handles marking a VM passed on to the `vsphere-template` post-processor which handles marking a VM
as a template. Note that the `vsphere` and `vsphere-template` post-processors as a template. Note that the `vsphere` and `vsphere-template` post-processors
are paired together in their own JSON array. are paired together in their own JSON array.
## Permissions
The vsphere post processor needs several permissions to be able to mark the
vm as a template. Rather than giving full administrator access, you can create
a role to give the post-processor the permissions necessary to run. Here is an
example role that will work. Please note that this is a user-supplied list so
there may be a few extraneous permissions that are not strictly required.
For Vsphere 5.5 the role needs the following privileges:
Datastore.AllocateSpace
Host.Config.AdvancedConfig
Host.Config.NetService
Host.Config.Network
Network.Assign
System.Anonymous
System.Read
System.View
VApp.Import
VirtualMachine.Config.AddNewDisk
VirtualMachine.Config.AdvancedConfig
VirtualMachine.Inventory.Delete
and either (If reregister_vm is false):
VirtualMachine.Provisioning.MarkAsTemplate
or (if reregister_vm is true or unset):
VirtualMachine.Inventory.Register
VirtualMachine.Inventory.Unregister
And this role must be authorized on the:
Cluster of the host
The destination folder (not on Datastore, on the Vsphere logical view)
The network to be assigned
The destination datastore.

30
website/pages/docs/post-processors/vsphere.mdx
View File

@ -149,3 +149,33 @@ build {
</Tab> </Tab>
</Tabs> </Tabs>
# Permissions
The vsphere post processor uses ovftool and therefore needs the same privileges
as ovftool. Rather than giving full administrator access, you can create a role
to give the post-processor the permissions necessary to run. Below is an example
role. Please note that this is a user-supplied list so there may be a few
extraneous permissions that are not strictly required.
For Vsphere 5.5 the role needs the following privileges:
Datastore.AllocateSpace
Host.Config.AdvancedConfig
Host.Config.NetService
Host.Config.Network
Network.Assign
System.Anonymous
System.Read
System.View
VApp.Import
VirtualMachine.Config.AddNewDisk
VirtualMachine.Config.AdvancedConfig
VirtualMachine.Inventory.Delete
And this role must be authorized on the:
Cluster of the host
The destination folder (not on Datastore, on the Vsphere logical view)
The network to be assigned
The destination datastore.