4

I'm starting to play with automating VMWare vCenter using PyVMomi. I want to take some base images and clone them, do some work on them, then delete them afterwards.

However, I'm terrified that I'll code it incorrectly and delete some of our infrastructure VMs that we desperately need.

Is there a way that I should set up permissions so that I can tag the VMs I want to protect? Or, how is best to avoid accidentally deleting an important VM?

omghai2u
  • 315
  • 1
  • 6
  • 15
  • 3
    It's easier than that, don't develop on a production environment. – Chopper3 Jan 21 '17 at 10:18
  • @Chopper3 - sure, that'd be ideal. But we're a small start-up with limited funds. Regardless, the issue, I think, is still valid: how can I administratively prevent users from deleting *some* VMs while letting them delete others? – omghai2u Jan 21 '17 at 10:59
  • 1
    @Chopper3 I don't develop on production environment, BUT I do use a single vcenter for all my vms, so we protect them with permissions – Jacob Evans Jan 21 '17 at 16:15
  • 1
    @omghai2u I assume you've used ansible as some guides for your coding as they us PyVmomi as well – Jacob Evans Jan 21 '17 at 16:17

1 Answers1

2

Yes, you can easily set permissions on folders and remove your ability to manage guests outside that folder. ESXi 5.5 Documentation

side note, PyVMomi is very slow at deleting 100+ vms, it's a lot faster in the console.

Jacob Evans
  • 7,886
  • 3
  • 29
  • 57
  • Thank you! I didn't know there was an ansible package, I just went right to coding my own Python solution. So thank you for that as well! Dumb additional question to this: I'm new to permissions in vCenter, obviously. We have a bunch of folders (e.g. Templates, Test VMs, Production VMs, etc). I just want to block people from deleting VMs from "Production VMs". Is it best to deny the "Remove VM" permission to the entire User's Group and just add it to every folder *except* "Production VMs"? – omghai2u Jan 21 '17 at 19:45
  • 1
    I would create a role, remove all from the default role and use the new role that has specific folder permissions to folders 'dev/test/prod' – Jacob Evans Jan 21 '17 at 20:01
  • I'm deploying hundreds of vms, both Linux and Windows, and use guest facts to feed static IP info to vms for use post kickstart/wds – Jacob Evans Jan 21 '17 at 20:02
  • Thank you again! I created a test user and think I've got it sorted out! That sounds really cool about the static IP info -- do you have a blog post or anything about it? I'm looking to develop something similar, I think. – omghai2u Jan 21 '17 at 20:16
  • no but I certainly could, https://www.jacobdevans.com, I'll get something up this week – Jacob Evans Jan 21 '17 at 21:11
  • That would be awesome! I'll be on the look out for it! Thank you! – omghai2u Jan 21 '17 at 21:30