[英]Minimal Permissions for Packer remote VMware-iso builder
I'm trying to use Packer to build images from iso on a remote VMware cluster, and there are security concerns with allowing direct access to the host. 我正在尝试使用Packer从远程VMware群集上的iso构建映像,并且存在允许直接访问主机的安全问题。 What are the minimal permissions required for an account on the esxi host to successfully complete the build? esxi主机上的帐户成功完成构建所需的最低权限是什么?
The user needs to be able to run the following commands: 用户需要能够运行以下命令:
vmkfstools
vim-cmd
test
sh
ls
rm
esxcli
stat
mkdir
shaXsum
md5sum
For vim-cmd
it must be allowed to run: 对于vim-cmd
,必须允许它运行:
vmsvc/power.getstate
vmsvc/reload
vmsvc/power.on
vmsvc/power.off
solo/registervm
vmsvc/unregister
vmsvc/destroy
vmsvc/tools.install
And for esxcli
: 对于esxcli
:
network ip connection list
network vm list
network vm port list
system version get
system settings advanced list -o /Net/GuestIPHack
If security is I high concern I would recommend to look into running a dedicated ESXi host for Packer builds or use nested virtualisation to run a ESXi on top of vSphere just as a build host. 如果高度关注安全性,我建议您考虑为Packer构建运行专用的ESXi主机,或者使用嵌套虚拟化以将vSphere作为构建主机在vSphere之上运行ESXi。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.