Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SIVT fails to deploy AVI SE in a secured/restricted RBAC vSphere/vCenter environment #47

Open
4 tasks done
tsugliani opened this issue Jul 8, 2022 · 0 comments
Open
4 tasks done

SIVT fails to deploy AVI SE in a secured/restricted RBAC vSphere/vCenter environment #47

tsugliani opened this issue Jul 8, 2022 · 0 comments
Labels
feature/enhancement New feature or enhancement request module_API Label for API module issues module_CLI Label for CLI module issues module_UI Label for UI module issues

Comments

@tsugliani
Copy link

Bug description

IHAC that provides managed vSphere environment, which will not provide the level of permissions that AVI LB requires currently in the normal vCenter/vSphere mode.

In the normal vSphere model right now it seems we have 2 issues we have seen so far:

  • AVI controllers require network to ESXi connectivity which is not provided/allowed.
  • AVI Automation process tries to create vSwitch/portgroups on the ESXi hosts directly which is not allowed.

That said we saw that the VMC deployment model seems to mitigate the issue but can't be used right now for VCPP SPs.

Affected product modules (please put an X in all that apply)

  • SIVT APIs
  • SIVT UI
  • SIVT CLI
  • Docs

Expected behavior

It would be great that SIVT provides a choice for the ALB deployment method as many VMware SDDC Managed offerings from SP will have the same security/constraints applied.

This would be on Step 6 actually as shown below

Screenshot 2022-07-08 at 12 22 07

[ ] vSphere
[x] No Orchestrator

Screenshot 2022-07-08 at 11 55 53

Steps to reproduce the bug

I Provided access to the environment for VMware analysis.

Version (include the SHA if the version is not obvious)

SIVT 1.2.0

Environment where the bug was observed (vSphere+VMC, vSpshere+DVS, vSphere+NSXt, etc)

  • SIVT version: 1.2.0
  • vSphere version: 6.7u3
  • vCenter version: 6.7u3
  • Kubernetes version: (use kubectl version):
  • Kubernetes installer & version:
  • Cloud provider or hardware configuration:
  • OS (e.g. from /etc/os-release):
  • Sonobuoy tarball (which contains * below)

Relevant Debug Output (Logs, manifests, etc)

ESXi access

2022-07-06 14:40:01,753  INFO [pool-1-thread-11] (vCenterMgrServiceImplementation.java:2936) - ---------------------------------------------
2022-07-06 14:40:01,753  INFO [pool-1-thread-11] (vCenterMgrServiceImplementation.java:2937) -  vICheckHostReachability : OPERATION START Time Stamp 2022-07-06 14:40:01.753
2022-07-06 14:40:01,753  INFO [pool-1-thread-11] (vCenterMgrServiceImplementation.java:2938) - ---------------------------------------------
2022-07-06 14:40:03,755  INFO [pool-1-thread-11] (VC_Mgr.java:235) - Cannot connect to port 443 of IP  172.20.244.54 connect timed out
2022-07-06 14:40:03,755  INFO [pool-1-thread-11] (vCenterMgrServiceImplementation.java:2957) - Host name : 172.20.244.54 Ping failure
2022-07-06 14:40:05,757  INFO [pool-1-thread-11] (VC_Mgr.java:235) - Cannot connect to port 443 of IP  172.20.244.56 connect timed out
2022-07-06 14:40:05,758  INFO [pool-1-thread-11] (vCenterMgrServiceImplementation.java:2957) - Host name : 172.20.244.56 Ping failure
2022-07-06 14:40:07,760  INFO [pool-1-thread-11] (VC_Mgr.java:235) - Cannot connect to port 443 of IP  172.20.244.51 connect timed out
2022-07-06 14:40:07,761  INFO [pool-1-thread-11] (vCenterMgrServiceImplementation.java:2957) - Host name : 172.20.244.51 Ping failure
2022-07-06 14:40:09,763  INFO [pool-1-thread-11] (VC_Mgr.java:235) - Cannot connect to port 443 of IP  172.20.244.53 connect timed out
2022-07-06 14:40:09,763  INFO [pool-1-thread-11] (vCenterMgrServiceImplementation.java:2957) - Host name : 172.20.244.53 Ping failure
2022-07-06 14:40:11,766  INFO [pool-1-thread-11] (VC_Mgr.java:235) - Cannot connect to port 443 of IP  172.20.244.50 connect timed out
2022-07-06 14:40:11,766  INFO [pool-1-thread-11] (vCenterMgrServiceImplementation.java:2957) - Host name : 172.20.244.50 Ping failure
2022-07-06 14:40:13,769  INFO [pool-1-thread-11] (VC_Mgr.java:235) - Cannot connect to port 443 of IP  172.20.244.52 connect timed out
2022-07-06 14:40:13,769  INFO [pool-1-thread-11] (vCenterMgrServiceImplementation.java:2957) - Host name : 172.20.244.52 Ping failure
2022-07-06 14:40:14,013  INFO [pool-1-thread-11] (vCenterMgrServiceImplementation.java:2978) -  vICheckHostReachability : OPERATION STOP Time Stamp 2022-07-06 14:40:14.013

vSwitch creation

2022-07-06 16:39:18,298  INFO [pool-3-thread-3] (VC_Mgr.java:356) - ===========================================================================
2022-07-06 16:39:30,619  INFO [pool-3-thread-4] (VC_Mgr.java:346) - ===========================================================================
2022-07-06 16:39:30,619  INFO [pool-3-thread-4] (VC_Mgr.java:347) - Object Info : RuntimeFault in creating vSwitch0
2022-07-06 16:39:30,619  INFO [pool-3-thread-4] (VC_Mgr.java:348) - com.vmware.vim25.NoPermission
2022-07-06 16:39:30,619  INFO [pool-3-thread-4] (VC_Mgr.java:353) - Message     : null
2022-07-06 16:39:30,619  INFO [pool-3-thread-4] (VC_Mgr.java:354) - StackTrace  : 
2022-07-06 16:39:30,619  INFO [pool-3-thread-4] (VC_Mgr.java:355) - com.vmware.vim25.NoPermission
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at java.lang.Class.newInstance(Class.java:442)
	at org.doublecloud.ws.gen.XmlGenStream.a(Unknown Source)
	at org.doublecloud.ws.gen.XmlGenStream.fromXML(Unknown Source)
	at com.vmware.vim25.ws.WSClient.invoke(Unknown Source)
	at com.vmware.vim25.ws.VimStub.addVirtualSwitch(Unknown Source)
	at com.vmware.vim25.mo.HostNetworkSystem.addVirtualSwitch(Unknown Source)
	at com.avinetworks.infrastructure.vcenter.VCMgrCreateVMFromOVAParams.retrieveAviInternalNetwork(VCMgrCreateVMFromOVAParams.java:1870)
	at com.avinetworks.infrastructure.vcenter.VCMgrCreateVMFromOVAParams.vmWareCreateAVISEfromOVF(VCMgrCreateVMFromOVAParams.java:581)
	at com.avinetworks.infrastructure.vcenter.vCenterMgrServiceImplementation.vICreateSEVM(vCenterMgrServiceImplementation.java:1292)
	at com.avinetworks.protobuf.vCenterMgr$vCenterMgrService.callMethod(vCenterMgr.java:45550)
	at com.avinetworks.infrastructure.tcp_rpc.TcpRpcRequestProcessor$TcpRpcRequestHandler.handle_request(TcpRpcRequestProcessor.java:270)
	at com.avinetworks.infrastructure.tcp_rpc.TcpRpcRequestProcessor$TcpRpcRequestHandler.run(TcpRpcRequestProcessor.java:190)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
@rashikwal rashikwal added feature/enhancement New feature or enhancement request module_API Label for API module issues module_UI Label for UI module issues module_CLI Label for CLI module issues labels Jul 11, 2022
@rashikwal rashikwal reopened this Jul 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature/enhancement New feature or enhancement request module_API Label for API module issues module_CLI Label for CLI module issues module_UI Label for UI module issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tsugliani @rashikwal