VMware ESXI cannot power on VM, create new VM, or revert snapshots after Native Fpolicy was enabled in System Manager
Applies to
- VMware ESXI
- NFS
- Native Fpolicy
Issue
- VMware ESXI tries to power on VM, but fails with error
Example:
Task Power On virtual machine
Target VMTemplate
Status An error occurred while opening configuration file "/vmfs/volumes/1234-5678/VMTemplate/VMTemplate.vmx": Insufficient permission to access the file.
- Currently running VMs are not impacted
- Powered off VMs cannot power on
- Reverting VM snapshots may also fail with similar permissions issues
- Packet trace indicates
CREATEfails withNFS3ERR_ACCESfor file extensionsvmx~, andtmp
Example:
79572 2024-07-08 17:12:57.231332 0.000036 10.x.x.x 10.x.x.x NFS 246 5 V3 CREATE Call (Reply In 79574), DH: 0x76c31fa7/Win10-002.vmx~ Mode: UNCHECKED 79574 2024-07-08 17:12:57.231452 0.000063 10.x.x.x 10.x.x.x NFS 106 5 V3 CREATE Reply (Call In 79572) Error: NFS3ERR_ACCES 79638 2024-07-08 17:12:57.238400 0.000043 10.x.x.x 10.x.x.x NFS 254 5 V3 CREATE Call (Reply In 79641), DH: 0x76c31fa7/Win10-002-aux.xml.tmp Mode: UNCHECKED 79641 2024-07-08 17:12:57.238523 0.000098 10.x.x.x 10.x.x.x NFS 106 5 V3 CREATE Reply (Call In 79638) Error: NFS3ERR_ACCES
Note: This also applies to NFSv4 protocols and thus NFS4ERR_ACCESS is seen
sectrace -trace-allow yesconfirms access is allowed
Example:
cluster::> sectrace trace-result show -vserver svm1
Vserver: svm1
Node Index Filter Details Reason
--------------- ----- -------------------------- ------------------------------
node1 1 Security Style: - Access is denied by the
FPolicy native policy.
Protocol: nfs
Volume: -
Share: vmware
Path: test.nvram
Win-User: DOMAIN\user
UNIX-User: root
Session-ID: 16029155498741727270