Server Configuration Guide : Authentication and User Management : Virtual Machine Delegates for NFS Storage

Virtual Machine Delegates for NFS Storage
To perform most activities on virtual machines, an ESX Server needs access to virtual machine files. For instance, to power on and off virtual machines the ESX Server must be able to create, manipulate, and delete files on the volume that is storing the virtual disk files.
If you are creating, configuring, or administering virtual machines on an NFS datastore you do so through a special user, known as the delegate user. The delegate user's identity is used by the ESX Server for all I/O requests issued to the underlying file system.
By default, the delegate user for the ESX Server host is root. However, having root as the delegate user may not work for all NFS datastores. NFS administrators may export volumes with root squashing enabled. The root squash feature maps root to a user with no significant privileges on the NFS server, limiting the root user's abilities. This feature is commonly used to prevent unauthorized access to files on an NFS volume. If the NFS volume was exported with root squash enabled, the NFS server might refuse access to the ESX Server host. To ensure that you can create and manage virtual machines from your host, the NFS administrator must turn off the root squash feature or add the ESX Server host’s physical network adapter to the list of trusted servers.
If the NFS administrator is unwilling to take either of these actions, you can change the delegate user to a different identity through experimental ESX Server functionality. This identity must match the owner of the directory on the NFS server otherwise the ESX Server host will be unable to perform file level operations. To set up a different identity for the delegate user, acquire the following information:
Then, use this information to change the delegate user setting for the ESX Server host so that it matches the owner of the directory, enabling NFS datastore to recognize the ESX Server host correctly. The delegate user is configured globally, and the same identity is used to access to every volume.
Setting up the delegate user on an ESX Server host requires that you complete these activities:
Edit the user named vimuser to add the correct UID and GID. vimuser is an ESX Server host user provided to you as a convenience for setting up delegate users. By default, vimuser has a UID of 12 and a GID of 20.
You must perform one of these steps regardless of whether you manage the host through a direct connection or through the VirtualCenter Server. Also, you need to make sure that the delegate user (vimuser or a delegate user you create) is identical across all ESX Server hosts that use the NFS datastore. For information on adding users, see Working with the Users Table.
You configure the security profile through VirtualCenter or through a VI Client running directly on the ESX Server host. Performing this task through VirtualCenter is more efficient because you can work through each host one-by-one in the same session. In this case, the users that can access NFS volumes are those that are in the Windows domain.
 
*
 
Warning
 
Changing the delegate user for an ESX Server host is experimental and, currently, VMware does not support this implementation. Use of this functional may result in unexpected behavior.
To change the virtual machine delegate
1
2
The hardware configuration page for this server appears with the Summary tab displayed.
3
Click Enter Maintenance Mode.
4
5
Click Virtual Machine Delegate > Edit to open the Virtual Machine Delegate dialog box.
6
7
8
After you reboot the host, the delegate user setting is visible in both VirtualCenter and the VI Client running directly on the ESX Server host.