[SOLVED] [one.template.instantiate] Failed to clone images: Not authorized to perform USE IMAGE [0]

Community Support
1

hi

i am creating vm in via VDC user .i am facing this issue kindly let me know how to resolve this issue. can any body help me .

[one.template.instantiate] Failed to clone images: Not authorized to perform USE IMAGE [0]

1 Like
2

I have the same problem . Did you manage to get this resolved ?

3

Hello @Almero_Rademeyer

If you have a template with images associated, you need to give use permission to the template and also to all the images, so the user can use both.

4

Hi Yes , I have been applying permissions for two days , even set Admin rights to the user group . Still no success . Here is an extract on the template and user examples >

onetemplate show 10
TEMPLATE 10 INFORMATION
ID : 10
NAME : cssa-neb-template-win10
USER : oneadmin
GROUP : users
LOCK : None
REGISTER TIME : 03/27 15:20:04

PERMISSIONS
OWNER : uma
GROUP : u–
OTHER : u–

TEMPLATE CONTENTS
CONTEXT=[
NETWORK=“YES”,
SSH_PUBLIC_KEY="$USER[SSH_PUBLIC_KEY]" ]
CPU=“1”
DESCRIPTION=“Windows 10 Premium”
DISK=[
IMAGE_ID=“0”,
OPENNEBULA_MANAGED=“NO” ]
GRAPHICS=[
LISTEN=“0.0.0.0”,
TYPE=“VNC” ]
HYPERVISOR=“vcenter”
INPUTS_ORDER=""
LOGO=“images/logos/windows8.png”
MEMORY=“4096”
MEMORY_UNIT_COST=“MB”
NIC=[
NETWORK_ID=“0”,
OPENNEBULA_MANAGED=“NO” ]
OS=[
BOOT="" ]
USER_INPUTS=[
CPU=“O|fixed|| |1”,
MEMORY=“M|list||4096,6144,8192|4096”,
VCPU=“O|list||1,2,4|1” ]
VCENTER_CCR_REF=“domain-c49”
VCENTER_INSTANCE_ID=“f8f4fcdb-1361-4de5-a652-2e0ad7ef0018”
VCENTER_TEMPLATE_REF=“vm-109”
VCENTER_VM_FOLDER=“Nebula”
VCPU=“1”

And the test user using core authentication >

oneuser show 5
USER 5 INFORMATION
ID : 5
NAME : JDT
GROUP : users
SECONDARY GROUPS: 1,102
PASSWORD : 034b4625c77b5a29719d4c491fec29bff7dd118e
AUTH_DRIVER : core
ENABLED : Yes

TOKENS

USER TEMPLATE
TOKEN_PASSWORD=“42f3b4f6ba6c3a3340fd06e4f10852c73c4868f0”

VMS USAGE & QUOTAS

          VMS               MEMORY                  CPU     SYSTEM_DISK_SIZE
  0 /       8        0M /       8M      0.00 /     8.00        0M /       8M

VMS USAGE & QUOTAS - RUNNING

  RUNNING VMS       RUNNING MEMORY          RUNNING CPU
  0 /       8        0M /       8M      0.00 /     8.00

DATASTORE USAGE & QUOTAS

NETWORK USAGE & QUOTAS

IMAGE USAGE & QUOTAS

      ID          RUNNING VMS
       0         0 /        8
5

I just tested while tailing oned.log , it clearly states access denied

Thu Mar 28 12:17:53 2019 [Z0][ReM][D]: Req:2304 UID:5 one.template.info invoked , 10, true
Thu Mar 28 12:17:53 2019 [Z0][ReM][E]: Req:2304 UID:5 one.template.info result FAILURE [one.template.info] User [5] : Not authorized to perform USE IMAGE [0].
Thu Mar 28 12:17:56 2019 [Z0][ReM][D]: Req:240 UID:0 one.zone.raftstatus invoked
Thu Mar 28 12:17:56 2019 [Z0][ReM][D]: Req:240 UID:0 one.zone.raftstatus result SUCCESS, “<SERVER_ID>-1<…”

6

Could yo please send me the output of oneimage show 0?

7

Hi There , as expected it appears there is no 0 .

onetemplate show 0
[one.template.info] Error getting virtual machine template [0].

8

Hi @Almero_Rademeyer

I meant the image, no the template, the command is oneimge show 0.

9

Hi there , i re deployed vONE appliance to get a clean start .

Attached is the new windows 10 template . I noticed I have to add my individual users to oneadmin group to deploy . So i guess I would need a separate template for each user group

IMAGE 0 INFORMATION
ID : 0
NAME : cssa-neb-template-win10 - CSSA-STB-ESX-99-LOCAL [template 1]
USER : oneadmin
GROUP : oneadmin
LOCK : None
DATASTORE : CSSA-STB-ESX-99-LOCAL(IMG)
TYPE : OS
REGISTER TIME : 04/01 06:12:58
PERSISTENT : No
SOURCE : cssa-neb-template-win10/cssa-neb-template-win10.vmdk
PATH : vcenter://cssa-neb-template-win10/cssa-neb-template-win10.vmdk
SIZE : 25G
STATE : rdy
RUNNING_VMS : 0

PERMISSIONS
OWNER : um-
GROUP : —
OTHER : —

IMAGE TEMPLATE
DEV_PREFIX=“sd”
VCENTER_IMPORTED=“YES”

VIRTUAL MACHINES

10

Hi @Almero_Rademeyer

You don’t need to add your user to the oneadmin group. You just need to give use permission to others on that image.

11

Then I am missing a step .
Below is a screenshot of the test user for POC . ( as seen by CloudAdmin )

image
image.png980×454 25.3 KB

And when I test with a new user called JDT I still get access denied to image 0

12

Because, your template has an image associated, so the user needs use permission on that image too, you have to go to the image and give that use permission.

13

THANK YOU VERY MUCH , that was the missing step . Your excellent support will go a long way for me to motivate us getting paid for support for vONE .

14

Nice! And remember, this case is the same for NICS, if you have any NIC in your template, you need to give use permission to others.

1 Like
15

Hi, I’m just getting started with open nebula and I’m running into the issue mentioned by @ahuertas for NIC permissions but can’t find the correct settings for NICs.
My error is “[one.template.instantiate] User [10] : User Template includes a restricted attribute NIC.”

Tried the following:
commenting out this line from oned.conf based on another thread - #VM_RESTRICTED_ATTR = “NIC/MAC”
removing the NIC from the template and adding on deployment
Went thru permissions and settings for the template and image and tried finding the info in the docs but no luck so far.
Thanks in advance for your help.

16

Hello @devops

Restricted attributes are attributes that can be only changed by oneadmin user (or users that belong to that group)

If you try to instantiate a template modifying some of that attributes as a normal user you get that error.

So please, check that user 10 is not changing any restricted attribute when instantiating the VM template. If you want that the user can modify it, comment the restricted attribute in the oned.conf file.

Best,
Álex.

17

Hi Alex,

Thanks for the quick response. I made these changes in oned.conf and restarted the service:
#VM_RESTRICTED_ATTR = “NIC/MAC”
#VM_RESTRICTED_ATTR = “NIC/VCENTER_INSTANCE_ID”
#VM_RESTRICTED_ATTR = “NIC/VCENTER_NET_REF”
#VM_RESTRICTED_ATTR = “NIC/VCENTER_PORTGROUP_TYPE”
#VM_RESTRICTED_ATTR = “DISK/OPENNEBULA_MANAGED”
#VM_RESTRICTED_ATTR = “DISK/VCENTER_DS_REF”
#VM_RESTRICTED_ATTR = “DISK/VCENTER_INSTANCE_ID”
#VM_RESTRICTED_ATTR = “DISK/SIZE”
#VM_RESTRICTED_ATTR = “RANK”
#VM_RESTRICTED_ATTR = “SCHED_RANK”
#VM_RESTRICTED_ATTR = “REQUIREMENTS”
#VM_RESTRICTED_ATTR = “SCHED_REQUIREMENTS”

#IMAGE_RESTRICTED_ATTR = “SOURCE”
#IMAGE_RESTRICTED_ATTR = “VCENTER_IMPORTED”

My user account is still not able to create a VM.
[one.template.instantiate] User [10] : User Template includes a restricted attribute NIC.
I can deploy the VM as oneadmin and assign it to my user account. My user account can see the VM, so I powered it off and tried to save it as a new template but still getting error:
[one.template.update] Cannot update template. User Template includes a restricted attribute NIC

Any help you can offer will be greatly appreciated.
Thank you.

18

Hello @devops

Could you please share your VM Template (onetemplate show <template_id> -x) and your user info (oneuser show <user_id> -x)?

Best,
Álex.