Data Protection

Failed to create / update resource group

planzone
9,440 Views

Hello - 

I have a issue that requires some attention and wanted to post to the communities for a possible resolution.

 

Some Context: 

In our lab we manage many Datacenter Services for NetApp Engineering. One of the import roles we play is "Customer Zero". Which basically means we eat out of the same dog bowl as customers do and submit BURTS (any bugs found) to the products engineering owner.

 

We use NetApp products due to the have mentioned above and of course we are in house and we deploy "NetApp on NetApp". Virtual storage Console (VSC) has always been beneficial to us in our virtual environment and in this particular case used for backups, as it is very simplistic to use.

 

However, since VSC7.1 no longer supports backups and has transferred those duties to SnapCenter, I have deployed snapcenter into our datacenter to be used for numerous backup operations and to be our single pane of glass. Not only to be used for vmware, we will also use this to back up mysql instances and will utilize other plugins where applicable with snapcenter. With that said, I have run into an issue and I wanted to post this to the masses for a collaborative troublesooting exercise so to speak. And I hope that this would help anyone else out there that has deployed these NetApp products within thier enterpise/environments.

 

I have upgraded from vsc 6.x to 7.1. I did not utilize the migration utiliy and noticed some clean up was in order. For example most of the storage was accessing the cluster management LIFS and snapcenter requires access to the SVM mgmt LIF.. So I manually setup SVM's with the propers LIFs and created account for the SVM's accordingly.

 

 

 

My Issue:

 

From  vCenter I am trying to create a backup. I right click a resource which in this case is a vm. I would go through the very simple wizard screens. When I get to the summary screen (final screen) then click "finish" I am presented with a 'Failed to create/update resource group screen. (see attached) This also happens when I try on a datastore as well.

 

The svm from the storage is added to the snapcenter through its mgmt lif. the account used from snapcenter to access the svm has the vsadmin roles.

 

Let me know If additional information or screen shots are needed 

 

I am running Snapcenter 4.0

vsc appliance 7.1

vcenter version 6.5u1

 

 

 Quick Update:

I tried to create a policy and received a failed to create policy messgae. "Connection Error occured!"  (error also attached)

 

1 ACCEPTED SOLUTION

planzone
9,198 Views

Hi -

Just a quick update in case anyone else runs into this. After reviewing the log on the vcenter appliance the vcenter user used by snapcenter plugin for vmware (SCV) did not have access to the root folder in vcenter. (Folder:group-d1) SCV plugin requires "admin" user to communicate to vcenter.

 

The other caveat is that we use multiple SSO identiies. The initial user I had used had what appeared admin access. However, the other authentication idenitiy source was not functioning. I had to pull the identity source out and put it back in for it to work on the vcenter side. Perhaps a vmware bug/issue. None the less I wanted to share this to help other if they run into this issue.

 

Pertinent info highlighted in red.

"vsphere_client_virgo.log"

 

[2018-01-24T02:44:02.560Z] [INFO ] SsoTokenRenewalExecutor-688  70006921 100181 200055 com.vmware.vsphere.client.security.sso.SsoTokenLifetimeManager    Token renewed for sessionId 100181, clientId 200055. Token expiration time: Fri Feb 23 02:44:02 GMT 2018

[2018-01-24T02:44:02.560Z] [INFO ] SsoTokenRenewalExecutor-688  70006921 100181 200055 com.vmware.vsphere.client.security.sso.SsoTokenLifetimeManager    sessionId 100181, clientId 200055, Token expiration time: Fri Feb 23 02:44:02 GMT 2018

Token renewal scheduled approximately for: Fri Feb 23 02:39:02 GMT 2018

[2018-01-24T02:44:07.189Z] [ERROR] http-bio-9090-exec-226        o.a.c.c.C.[.[localhost].[/vsphere-client/scvmUI].[springServlet]  Servlet.service() for servlet [springServlet] in context with path [/vsphere-client/scvmUI] threw exception [Request processing failed; nested exception is com.netapp.nvpf.api.model.PrivilegeException: Did not find any of the datastores or virtual machines to backup: [Folder:group-d1]] with root cause com.netapp.nvpf.api.model.PrivilegeException: Did not find any of the datastores or virtual machines to backup: [Folder:group-d1]

                at com.netapp.aegis.privilege.AegisPrivilegeValidator.hasPrivileges(AegisPrivilegeValidator.java:371)

                at com.netapp.aegis.server.AegisApiServiceImpl.hasPrivilegeCheckOnRootFolder(AegisApiServiceImpl.java:1164)

                at com.netapp.aegis.restapi.BackupRecoveryApiServiceImpl.hasPrivilegeCheckOnRootFolder(BackupRecoveryApiServiceImpl.java:1234)

                at sun.reflect.GeneratedMethodAccessor55.invoke(Unknown Source)

 

the log file is located in here on the appliance:

/var/log/vmware/vsphere-client/logs

 

I grabbed the file with WInSCP.

This link can provided details on how to copy logs from an appliance

https://blog.ukotic.net/2016/09/20/scp-to-a-vcenter-server-appliance-vcsa/

 

View solution in original post

2 REPLIES 2

planzone
9,199 Views

Hi -

Just a quick update in case anyone else runs into this. After reviewing the log on the vcenter appliance the vcenter user used by snapcenter plugin for vmware (SCV) did not have access to the root folder in vcenter. (Folder:group-d1) SCV plugin requires "admin" user to communicate to vcenter.

 

The other caveat is that we use multiple SSO identiies. The initial user I had used had what appeared admin access. However, the other authentication idenitiy source was not functioning. I had to pull the identity source out and put it back in for it to work on the vcenter side. Perhaps a vmware bug/issue. None the less I wanted to share this to help other if they run into this issue.

 

Pertinent info highlighted in red.

"vsphere_client_virgo.log"

 

[2018-01-24T02:44:02.560Z] [INFO ] SsoTokenRenewalExecutor-688  70006921 100181 200055 com.vmware.vsphere.client.security.sso.SsoTokenLifetimeManager    Token renewed for sessionId 100181, clientId 200055. Token expiration time: Fri Feb 23 02:44:02 GMT 2018

[2018-01-24T02:44:02.560Z] [INFO ] SsoTokenRenewalExecutor-688  70006921 100181 200055 com.vmware.vsphere.client.security.sso.SsoTokenLifetimeManager    sessionId 100181, clientId 200055, Token expiration time: Fri Feb 23 02:44:02 GMT 2018

Token renewal scheduled approximately for: Fri Feb 23 02:39:02 GMT 2018

[2018-01-24T02:44:07.189Z] [ERROR] http-bio-9090-exec-226        o.a.c.c.C.[.[localhost].[/vsphere-client/scvmUI].[springServlet]  Servlet.service() for servlet [springServlet] in context with path [/vsphere-client/scvmUI] threw exception [Request processing failed; nested exception is com.netapp.nvpf.api.model.PrivilegeException: Did not find any of the datastores or virtual machines to backup: [Folder:group-d1]] with root cause com.netapp.nvpf.api.model.PrivilegeException: Did not find any of the datastores or virtual machines to backup: [Folder:group-d1]

                at com.netapp.aegis.privilege.AegisPrivilegeValidator.hasPrivileges(AegisPrivilegeValidator.java:371)

                at com.netapp.aegis.server.AegisApiServiceImpl.hasPrivilegeCheckOnRootFolder(AegisApiServiceImpl.java:1164)

                at com.netapp.aegis.restapi.BackupRecoveryApiServiceImpl.hasPrivilegeCheckOnRootFolder(BackupRecoveryApiServiceImpl.java:1234)

                at sun.reflect.GeneratedMethodAccessor55.invoke(Unknown Source)

 

the log file is located in here on the appliance:

/var/log/vmware/vsphere-client/logs

 

I grabbed the file with WInSCP.

This link can provided details on how to copy logs from an appliance

https://blog.ukotic.net/2016/09/20/scp-to-a-vcenter-server-appliance-vcsa/

 

DavidDAVE
8,661 Views

Hi there,

 

Im stuck with a similar problem: https://community.netapp.com/t5/Backup-and-Restore-Discussions/SC-4-0-Unable-to-create-resource-groups/m-p/138553#M11818

 

Could you please give us further details abouth what do you mean with "I had to pull the identity source out and put it back in for it to work on the vcenter side." in your resolution post?

 

Thanks a lot in advance! 🙂

 

Kind regards,

 

David

Public