Runecast 3.0 requires elevated privileges for HCL checks

A couple of days ago Runecast Analyzer has been upgraded to version 3.0.0. With that upgrade a very important beta-feature became GA: HW Compatibility and Upgrade Simulator.

I used to run the Runecast service account with readonly privileges. It has been sufficient up to version 2.7.x. Even the hardware compatibility check (beta) did work with readonly privileges. After upgrading my appliance to version 3.0.0 (GA), I found a notification. Missing privileges..

Once you open host details and click on I/O devices tab, there’s further information.

Ok. I did some RTFM and found the information I need in the Runecast-User-Guide. I had to create a new role which is basically a copy of readonly with some extra permissions. Just a side note: For hardware compatibility checks you only need two extra privileges:

  • Host / Configuration / Change settings
  • Global / Settings

To enable all features, I had to add more privileges. A full list of features and their required privileges is shown below.

  • CIM collection
    • Host / CIM / CIM interaction
  • vSAN configuration collection
    • Global / Settings
  • files collection
    • Host / Configuration / Firmware
  • Kernel modules collection
    • Host / Configuration / Change settings
  • auto ESXi syslog configuration
    • Host / Configuration / Advanced settings
    • Host / Configuration / Change settings
    • Host / Configuration / Security profile and firewall
  • auto VM syslog configuration
    • Virtual Machine / Configuration / Advanced
  • auto Web Client registration
    • Extension / Register extension
    • Extension / Update extension
  • HW Compatibility
    • Host / Configuration / Change settings
    • Global / Settings

Go to Menu > Administration > Roles and add a new role e.g. “Runecast”. Add privileges according to your needs. Below is the result if you enable the full set.

Apply the new role to the existing service account. Go to “Hosts and Clusters” > vCenter > Permissions. Select service account and edit. Change role from readonly to new created role “Runecast”.

Changes will become effective immediately in vCenter, but you’ll have to re-run analysis in Runecast Web-UI. The last scan has been done with readonly permissions and is therefore incomplete. Go back to Runecast dashboard and click “Analyze now” to re-scan. If you go back to “HW Compatibility” you will see the full set of I/O device information again.

I don’t know why elevated privileges are required for HW compatibility checks since version 3. It used to work with readonly role before (beta). But nevermind. As long as it works, I’m happy.

Leave a Reply

Your email address will not be published. Required fields are marked *