To perform most activities on virtual machines, an ESX Server needs access to virtual machine files. For instance, to power on and off virtual machines the ESX Server must be able to create, manipulate, and delete files on the volume that is storing the virtual disk files.
If you are creating, configuring, or administering virtual machines on an NFS datastore you do so through a special user, known as the delegate user. The delegate user's identity is used by the ESX Server for all I/O requests issued to the underlying file system.
By default, the delegate user for the ESX Server host is root. However, having
root as the delegate user may not work for all NFS datastores. NFS administrators may export volumes with root squashing enabled. The
root squash feature maps root to a user with no significant privileges on the NFS server, limiting the root user's abilities. This feature is commonly used to prevent unauthorized access to files on an NFS volume. If the NFS volume was exported with
root squash enabled, the NFS server might refuse access to the ESX Server host. To ensure that you can create and manage virtual machines from your host, the NFS administrator must turn off the
root squash feature or add the ESX Server host’s physical network adapter to the list of trusted servers.
If the NFS administrator is unwilling to take either of these actions, you can change the delegate user to a different identity through experimental ESX Server functionality. This identity must match the owner of the directory on the NFS server otherwise the ESX Server host will be unable to perform file level operations. To set up a different identity for the delegate user, acquire the following information:
Then, use this information to change the delegate user setting for the ESX Server host so that it matches the owner of the directory, enabling NFS datastore to recognize the ESX Server host correctly. The delegate user is configured globally, and the same identity is used to access to every volume.
You must perform one of these steps regardless of whether you manage the host through a direct connection or through the VirtualCenter Server. Also, you need to make sure that the delegate user (
vimuser or a delegate user you create) is identical across all ESX Server hosts that use the NFS datastore. For information on adding users, see
Working with the Users Table.
You configure the security profile through VirtualCenter or through a VI Client running directly on the ESX Server host. Performing this task through VirtualCenter is more efficient because you can work through each host one-by-one in the same session. In this case, the users that can access NFS volumes are those that are in the Windows domain.
