Hi.
Just one quick question.
Whats happend if I create 2 ACL like.
1.- NOBODY can USE dom0 56
2.- USER login can USE dom0 56
Because i have a dom0 that exist in a cluster, but temporaly i only want that the user “login” can run VM inside.
its possible? or first rule block the second?
Thanks in advance.
Just update the question:
i noted that is not possible to create a negative ACL… its mean… Opennebula permit USE rule… but not permit NOT USE rule.
finally i duplicated the templates and in one set SCHED_REQUIREMENTS=“ID=“56"” and in other set the SCHED_REQUIREMENTS=”!(ID=“56”)"
but i think have the option NOT USE is a must at ACL 
Hi,
OpenNebula does not have negative ACL rules, but any action is denied by default.
For your example:
1.- NOBODY can USE dom0 56
2.- USER login can USE dom0 56
Rule 1 is implicit, nobody can use anything unless you grant them permission. Rule 2 would actually be a MANAGE right instead of USE, because that’s what the scheduler looks for to deploy the VMs.
But anyway, you don’t need to worry about low level ACL rules to administer who has rights to deploy in each host. The VDCs exist for that reason, and you can move your hosts around from the Sunstone web interface.
Hi.
I know that VDC was developed to that… but actually we use the version 4.10.2 and VDC work fine in the next ON version.
our problem is that a simple user (group user) are lunching VM at dom0 that not are part of users… is so rare 
an example:
[oneadmin@cloud ~]$ oneuser show natalia
USER 175 INFORMATION
ID : 175
NAME : natalia
GROUP : users
SECONDARY GROUPS: 1,112
this user is in users group and in own group “comunicaciones”
[oneadmin@cloud ~]$ onegroup show 112
GROUP 112 INFORMATION
ID : 112
NAME : comunica_G
GROUP TEMPLATE
DEFAULT_VIEW="user"
GROUP_ADMINS="natalia"
SUNSTONE_VIEWS="user,vdcadmin,admin,cloud"
USERS
ID
175
RESOURCE PROVIDERS
ZONE CLUSTER
0 109
In other hand, the host ID 56 only stay at cluster hadoop.
[oneadmin@cloud ~]$ onehost show 56
HOST 56 INFORMATION
ID : 56
NAME : nubacesga-05-2
CLUSTER : hadoop
STATE : MONITORED
But… users (in users group) when lunch VM… sometimes start to run at hadoop clusters… and i dont know why.
whe are preparing our platform to update and have VDC… but at now our producción ON work bad… and need to keep hadoop cluster free to deploy hadoopVM 
any idea how to solve this before updating to last ON stable?
thanks!
Hi,
Can you paste the output of ‘onegroup show users’, and ‘oneacl list’? Probably there is a rule granting users group (@1) MANAGE rights over all hosts.
Hi.
I think so, users have manage hosts… but is an ACL ID 1… I think that came with Opennebula install…
here the output.
[root@cloud ~]# onegroup show users
GROUP 1 INFORMATION
ID : 1
NAME : users
GROUP TEMPLATE
USERS
ID
6
8
22
24
25
26
56
120
150
152
153
163
165
168
169
170
171
172
173
174
175
176
177
178
182
183
184
185
186
187
188
190
192
193
196
197
207
213
216
222
224
225
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
284
285
289
291
312
313
314
315
316
317
318
319
320
321
322
323
329
332
334
337
342
343
344
345
347
352
353
355
365
378
383
384
385
386
394
397
398
403
406
407
408
410
411
414
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
444
RESOURCE USAGE & QUOTAS
NUMBER OF VMS MEMORY CPU VOLATILE_SIZE
58 / - 122.7G / - 95.00 / - 570.7G / -
DATASTORE ID IMAGES SIZE
100 13 / - 136.4G / -
1 52 / - 436.4G / -
NETWORK ID LEASES
12 2 / -
7 9 / -
18 24 / -
6 8 / -
1 1 / -
17 4 / -
8 10 / -
IMAGE ID RUNNING VMS
163 1 / -
387 1 / -
670 1 / -
667 1 / -
702 1 / -
719 1 / -
744 1 / -
738 1 / -
752 1 / -
753 1 / -
760 1 / -
761 1 / -
762 1 / -
687 1 / -
633 1 / -
660 1 / -
624 1 / -
623 1 / -
622 1 / -
632 1 / -
783 1 / -
785 1 / -
745 1 / -
648 1 / -
808 1 / -
809 1 / -
814 1 / -
787 1 / -
654 1 / -
813 1 / -
635 1 / -
347 1 / -
795 1 / -
432 4 / -
789 6 / -
824 6 / -
796 10 / -
206 10 / -
and the ACL
ID USER RES_VHNIUTGDCOZ RID OPE_UMAC ZONE
0 @1 V-NI-T----- * ---c #0
1 @1 -H--------- * -m-- #0
2 * ---------O- * ---c #0
7 @101 V-NI-T----- * ---c #0
8 @101 -H--------- * -m-- #0
14 #22 --N-------- * u--- #0
19 @102 -H--------- * -m-- #0
22 @102 V--I-T----- * ---c #0
23 @102 --------C-- #102 u--- #0
24 @103 V-NI-T----- * ---c #0
25 @103 -H--------- * -m-- #0
29 @101 ---I------- #3 u--- #0
30 @101 ---I------- #4 u--- #0
31 @101 ---I------- #5 u--- #0
32 @101 --N-------- #0 u--- #0
34 @104 V-NI-T----- * ---c #0
35 @104 -H--------- * -m-- #0
36 @104 --NI-T----- @103 u--- #0
37 #28 --N-------- #0 u--- #0
38 #28 --N-------- #1 u--- #0
39 @105 V-NI-T----- * ---c #0
40 @105 -H--------- * -m-- #0
41 @101 --NI-T----- @103 u--- #0
42 @103 --N-------- #8 u--- #0
46 #120 --NI-T----- @103 u--- #0
47 #120 V---------- @103 um-- #0
48 @106 V-NI-T----- * ---c #0
49 @106 -H--------- * -m-- #0
50 @106 --N-------- #8 u--- #0
51 #8 --N-------- * u--- #0
52 @102 --N-------- #7 u--- #0
53 #4 --N-------- #8 u--- #0
55 * ----------Z * u--- *
58 @107 V--I-T---O- * ---c *
59 @107 --NI-T-D--- @103 u--- *
72 #65 -----T----- @101 u--- #0
73 #65 --NI------- @0 u--- #0
78 #158 --N-------- @1 u--- #0
79 #56 V--I-T----- @103 umac *
80 @108 -H--------- * -m-- #0
81 @108 --N----D--- * u--- #0
82 @108 V---------- * ---c *
86 @109 V-NI-T----- @103 u--- *
87 @110 -H--------- %106 -m-- #0
88 @110 --N----D--- %106 u--- #0
89 @110 V--I-T---O- * ---c *
90 @110 V--------O- @110 u--- *
94 @111 -H--------- %107 -m-- #0
95 @111 --N----D--- %107 u--- #0
96 @111 V--I-T----- * ---c *
97 @111 V--------O- @111 u--- *
100 @112 V--I-T---O- * ---c *
101 @112 V--------O- @112 u--- *
103 @112 -H--------- %109 -m-- #0
104 @112 --N----D--- %109 u--- #0
108 @113 -H--------- %109 -m-- #0
109 @113 --N----D--- %109 u--- #0
110 @113 V--I-T---O- * ---c *
111 @113 V--------O- @113 u--- *
112 #401 ----U------ @113 umac *
113 #401 V--I-T---O- @113 um-c *
116 #444 -H--------- #56 u--- #0
Its the best way delete the ACL ID 1 ?
Yes, you can delete that default ACL.
Remember to assign a resource provider to group ‘users’, otherwise their VMs will not be deployed.
Sorry… but… what? i´m so lost right now…
pd: maybe update to similar like that:
@1 CLUSTER/%100 MANAGE *
group user can manage cluster 100 (cluster production)
onecluster show 100
CLUSTER 100 INFORMATION
ID : 100
NAME : production
CLUSTER TEMPLATE
HOSTS
1
2
4
5
6
10
12
13
15
16
17
21
22
24
25
30
32
33
42
43
44
45
46
47
48
60
64
VNETS
0
1
2
3
4
5
8
10
11
13
DATASTORES
102
That will not work, CLUSTER MANAGE is not what the scheduler looks for when deploying VMs. In 4.10 the VDCs were something internal to each Group, and each group-cluster association was called a ‘resource provider’, see here
You need to run:
onegroup add_provider 1 0 100
And that will create the right ACL rules internally (HOST MANAGE for hosts in that cluster).
Did that. I assigned the resource and after delete de ACL… the result was no one machine deployed to any cluster
i need to check again because without ACL
1 @1 -H--------- * -m-- #0
any machine at users group will be start at any dom0.
Hi,
Can you please post again your current oneacl list, onegroup show, onecluster show, and what sched.log says about the vms that stay in pending state?
oneacl list
ID USER RES_VHNIUTGDCOZ RID OPE_UMAC ZONE
0 @1 V-NI-T----- * ---c #0
2 * ---------O- * ---c #0
7 @101 V-NI-T----- * ---c #0
8 @101 -H--------- * -m-- #0
14 #22 --N-------- * u--- #0
19 @102 -H--------- * -m-- #0
22 @102 V--I-T----- * ---c #0
23 @102 --------C-- #102 u--- #0
24 @103 V-NI-T----- * ---c #0
25 @103 -H--------- * -m-- #0
29 @101 ---I------- #3 u--- #0
30 @101 ---I------- #4 u--- #0
31 @101 ---I------- #5 u--- #0
32 @101 --N-------- #0 u--- #0
34 @104 V-NI-T----- * ---c #0
35 @104 -H--------- * -m-- #0
36 @104 --NI-T----- @103 u--- #0
37 #28 --N-------- #0 u--- #0
38 #28 --N-------- #1 u--- #0
39 @105 V-NI-T----- * ---c #0
40 @105 -H--------- * -m-- #0
41 @101 --NI-T----- @103 u--- #0
42 @103 --N-------- #8 u--- #0
46 #120 --NI-T----- @103 u--- #0
47 #120 V---------- @103 um-- #0
48 @106 V-NI-T----- * ---c #0
49 @106 -H--------- * -m-- #0
50 @106 --N-------- #8 u--- #0
51 #8 --N-------- * u--- #0
52 @102 --N-------- #7 u--- #0
53 #4 --N-------- #8 u--- #0
55 * ----------Z * u--- *
58 @107 V--I-T---O- * ---c *
59 @107 --NI-T-D--- @103 u--- *
72 #65 -----T----- @101 u--- #0
73 #65 --NI------- @0 u--- #0
78 #158 --N-------- @1 u--- #0
79 #56 V--I-T----- @103 umac *
80 @108 -H--------- * -m-- #0
81 @108 --N----D--- * u--- #0
82 @108 V---------- * ---c *
86 @109 V-NI-T----- @103 u--- *
87 @110 -H--------- %106 -m-- #0
88 @110 --N----D--- %106 u--- #0
89 @110 V--I-T---O- * ---c *
90 @110 V--------O- @110 u--- *
94 @111 -H--------- %107 -m-- #0
95 @111 --N----D--- %107 u--- #0
96 @111 V--I-T----- * ---c *
97 @111 V--------O- @111 u--- *
100 @112 V--I-T---O- * ---c *
101 @112 V--------O- @112 u--- *
103 @112 -H--------- %109 -m-- #0
104 @112 --N----D--- %109 u--- #0
108 @113 -H--------- %109 -m-- #0
109 @113 --N----D--- %109 u--- #0
110 @113 V--I-T---O- * ---c *
111 @113 V--------O- @113 u--- *
112 #401 ----U------ @113 umac *
113 #401 V--I-T---O- @113 um-c *
116 #444 -H--------- #56 u--- #0
118 @1 -H--------- %100 -m-- #0
119 @1 --N----D--- %100 u--- #0
120 @1 -H--------- * -m-- #0
onegroup show 1
GROUP 1 INFORMATION
ID : 1
NAME : users
GROUP TEMPLATE
USERS
ID
6
8
22
24
25
26
56
120
150
152
153
163
165
168
169
170
171
172
173
174
175
176
177
178
182
183
184
185
186
187
188
190
192
193
196
197
207
213
216
222
224
225
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
284
285
289
291
312
313
314
315
316
317
318
319
320
321
322
323
329
332
334
337
342
343
344
345
347
352
353
355
365
378
383
384
385
386
394
397
398
403
406
407
408
410
411
414
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
444
450
451
452
453
454
RESOURCE PROVIDERS
ZONE CLUSTER
0 100
RESOURCE USAGE & QUOTAS
NUMBER OF VMS MEMORY CPU VOLATILE_SIZE
41 / - 84.3G / - 65.00 / - 357.5G / -
DATASTORE ID IMAGES SIZE
100 13 / - 136.4G / -
1 46 / - 376.4G / -
NETWORK ID LEASES
12 2 / -
7 9 / -
18 12 / -
6 8 / -
1 1 / -
8 4 / -
17 5 / -
IMAGE ID RUNNING VMS
163 1 / -
387 1 / -
670 1 / -
667 1 / -
702 1 / -
719 1 / -
744 1 / -
738 1 / -
752 1 / -
753 1 / -
760 1 / -
761 1 / -
762 1 / -
687 1 / -
633 1 / -
660 1 / -
624 1 / -
623 1 / -
622 1 / -
632 1 / -
783 1 / -
785 1 / -
745 1 / -
648 1 / -
808 1 / -
809 1 / -
814 1 / -
787 1 / -
654 1 / -
813 1 / -
635 1 / -
795 1 / -
828 1 / -
796 4 / -
206 4 / -
432 5 / -
**onecluster show 100**
CLUSTER 100 INFORMATION
ID : 100
NAME : production
CLUSTER TEMPLATE
HOSTS
1
2
4
5
6
10
12
13
15
16
17
21
22
24
25
30
32
33
42
43
44
45
46
47
48
60
64
VNETS
0
1
2
3
4
5
8
10
11
13
DATASTORES
102
The June 25 we going to update to last version to activate the ACL and hope solve that problem.
Hi,
So now the problem is that without the ACL @1 -H--------- * -m-- #0, VMs from the users group are not deployed.
But from your oneacl list, I see that the resource provider (cluster 100, zone 0) has the corresponding acl rule, @1 -H--------- %100 -m-- #0.
What might be happening is that your VMs cannot be deployed in cluster 100. Do they have any sched requirements, or sched message explaining why they were not scheduled?
HI.
Today i updated to last stable version, and now im going to use VDC to manage so right the rights and going to see what happend…
keep your recommendation because its possible my currents ACL and the new VDC not like work together