Characteristics of the VMware Service Console

VMware ESX Server 2.0

Features | Documentation | Knowledge Base | Discussion Forums

The purpose of the VMware service console is to start up and administer your virtual machines. It is a customized version of Linux based on the Red Hat 7.2 distribution. It has been modified so it can be managed by the VMkernel.

The service console has been customized to disable unneeded services. In particular, most network services have been disabled, except for auth. For remote access to the service console, ssh is enabled by default. The root user can modify settings for ssh, Telnet and FTP using the security configuration page in the management interface (http://<servername>/security-config).

The service console is scheduled by the VMkernel just as any other virtual machine is. You should not attempt to run heavy workloads on the service console, because it may take processor cycles away from your virtual machines.

Using DHCP for the Service Console

The recommended setup is to use static IP addresses for the service console. It is also possible to set up the service console to use DHCP, so long as your DNS server is capable of mapping the service console's host name to the dynamically-generated IP address.

If your DNS server cannot map the host's name to its DHCP-generated IP address, which may be the case, you must determine the service console's numeric IP address yourself and use that numeric address when accessing the management interface's Web pages.

Keep in mind that the numeric IP address may change as DHCP leases run out or when the system is rebooted. For this reason, we do not recommend using DHCP for the service console unless your DNS server can handle the host name translation.

Managing the Service Console

The command summary in this section provides an introduction to the commands you are most likely to use at the service console. Some are specific to ESX Server. Most are commands that are the same as those you would use at a Linux command line.

Connecting to the Service Console

If you have direct access to the computer where ESX Server is running, you can log in to the physical console on that computer. Press Alt-F2 to get to the login screen.

Depending on the security settings for your ESX Server computer, you may be able to connect remotely to the service console using SSH or Telnet. For more information on the security settings, see Authentication and Security Features.

Whether you use the service console locally or through a remote connection, you must log in using a valid user name and password.

Commands Specific to ESX Server

Identifying Network Cards

The findnic command lets you send network traffic from a specified network adapter so you can observe the LEDs on the adapters and see which physical adapter is associated with that device name. The format of the command is

findnic <options> <nic-name> <local-ip> <remote-ip>


Option	Explanation
`-f`	Do a flood ping.
`-i <seconds>`	Send pings at specified interval.

Example:

findnic -f vmnic1 10.2.0.5 10.2.0.4Binds VMkernel device vmnic1 to IP address 10.2.0.5, then tries to flood ping the remote machine with the IP address 10.2.0.4.

For more information, see The VMkernel Network Card Locator.

Managing a VMware ESX Server File System

The vmkfstools command lets you create and manipulate files on SCSI disks managed by ESX Server.

Note: You must be logged in as the root user to run the vmkfstools command.

The format for the vmkfstools command, when specifying a SCSI device, is:

vmkfstools <options> <device_or_VMFS_volume>[:<file>]

where <device_or_VMFS_volume> specifies a SCSI device (a SCSI disk or a partition on a SCSI disk) being manipulated or a VMFS volume, and <options> specifies the operation to be performed.

If <device_or_VMFS_volume> is a SCSI device, then it is specified in a form such as:

vmhba1:2:0:3

<device_or_VMFS_volume> may also be a VMFS volume name, as set in the management interface or with the vmkfstools --setfsname command.

<file> is the name of a file stored in the VMFS volume on the specified device.

The format for the vmkfstools command, when specifying a VMFS volume or file, is:

vmkfstools <options> <path>

where <path> is an absolute path that names a directory or a file under the /vmfs directory.

For a detailed explanation on using this command and its options, see Using vmkfstools.

Automatically Mounting VMFS Volumes

VMFS volumes are automatically mounted in the /vmfs directory on the service console when the VMkernel is loaded as the computer boots.

Loading VMkernel Device Modules

The program vmkload_mod is used to load device driver and network shaper modules into the VMkernel. vmkload_mod can also be used to unload a module, list the loaded modules and list the available parameters for each module.

The format for the command is

vmkload_mod <options> <module-binary> <module-tag> <parameters>

For more information, see VMkernel Module Loader.

Common Linux Commands Used on the Service Console

The service console runs a modified version of Linux, and many of the commands available on Linux or Unix are also available on the service console. This section summarizes the most commonly used commands. For more detailed information, see Getting Help for Service Console Commands or consult a Linux reference book.

Manipulating Files

To navigate through the directory structure and manipulate files and directories, you must have proper permissions. In some areas of the file system, your abilities may be restricted when you are logged in as an ordinary user. You may need to log in as root, also known as the super user (su), to perform some tasks.


Command	Example and Explanation
`cd`	Change directories. `cd /home/user`Change to the directory `/home/user` (the home directory for a user with the user name `user`). `cd ..`Go up one level from the current directory.


`cp`	Copy a file. `cp oldfile newfile`Make a copy of the file `oldfile` in the current directory. The copy is named `newfile`. `cp oldfile /home/user`Make a copy of the file `oldfile` in the current directory. The copy also has the name `oldfile` and is in the directory `/home/user`.


`ln`	Create a link from one file or directory to another file or directory. `ln -s /bin/program prolink`Create a soft link (shortcut) from the existing file `/bin/program` to `prolink`. The link `prolink` is created in the current working directory. If you enter the command `prolink`, you run the program `/bin/program`.
`ln`
`ls`	List the files in the current directory. `ls -al`List all (`-a`) the files in the current directory in long (`-l`) format. `ls .html`List files in the current directory that end with .html. The `` is a wild-card character that represents any number of characters. The `?` is a wild-card character that represents a single character. `ls /home/user`List the files in the directory `/home/user`.



`mkdir`	Make a new directory. `mkdir newdir`Make a new directory called `newdir` beneath the current directory. `mkdir /home/newdir`Make a new directory called `newdir` beneath the `/home` directory.


`mv`	Move a file to a new directory or rename the file. `mv myfile /home/user`Move the file `myfile` from the current directory to the directory `/home/user`. `mv myfile yourfile`Rename the file `myfile`. The new filename is `yourfile`.


`pwd`	Show the path to the present working directory.
`rm`	Remove a file. `rm deadfile`Remove the file `deadfile` from the current directory.
`rm`
`rmdir`	Remove a directory. `rmdir gone`Remove the directory `gone`, which exists beneath the current directory.
`rmdir`

Finding and Viewing Files <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr bgcolor="#CCCCCC"> <th><div style="font-size: 9pt"><b> Command </b></div> </th> <th colspan="2" rowspan="1"><div style="font-size: 9pt"><b> Example and Explanation </b></div> </th> </tr> <tr> <td colspan="1" rowspan="2"><div style="font-size: 9pt"> <tt>cat </tt></div> </td> <td colspan="2" rowspan="2"><div style="font-size: 9pt"> Concatenate the contents of files and display the content on the screen.<br> <br> <tt>cat /proc/vmware/mem<br> </tt>Display the contents of the file<tt> /proc/vmware/mem</tt>. </div> </td> </tr> <tr> </tr> <tr> <td colspan="1" rowspan="4"><div style="font-size: 9pt"> <tt>find </tt></div> </td> <td colspan="2" rowspan="4"><div style="font-size: 9pt"> Find files under a specified directory that match conditions you specify.<br> <br> <tt>find / -name myfil*<br> </tt>Find files in the root directory and all directories under it that have file names beginning with <tt>myfil</tt>. The <tt>*</tt> is a wild-card character that represents any number of characters. The <tt>?</tt> is a wild-card character that represents a single character.<br> <br> <tt>find -name '*.vmx' -print -exec chown User2 {} \;<br> </tt>Find all files in this directory and all subdirectories that end with <tt>.vmx</tt>, display the names of all files that are found on the screen and, for each file (indicated by the curly braces — <tt>{}</tt>), change its owner to User2. </div> <div style="font-size: 9pt"> The <tt>-print</tt> option is not necessary, but it is handy to track the progress of the <tt>find</tt> command. If you do not use <tt>-print</tt>, the <tt>find</tt> command is silent except for error messages from <tt>find</tt> or from <tt>chown</tt>.<br> <br> <tt>find -name '*.vmx' -exec grep -il 'SOMETHING' {} \;<br> </tt>Find all files in this directory and all subdirectories that end with <tt>.vmx</tt> and look for the pattern SOMETHING in each of the files. The <tt>-i</tt> option to <tt>grep</tt> makes the search case-insensitive. The <tt>-l</tt> option to <tt>grep</tt> causes <tt>grep</tt> to display the names of the files that have SOMETHING in them. When a file is found that contains SOMETHING, this command displays the full path to the file from the current directory (for example,<tt> <br> ./virtualmachines/Linux/RedHat71Test/redhat71.vmx</tt>). </div> </td> </tr> <tr> </tr> <tr> </tr> <tr> </tr> <tr> <td colspan="1" rowspan="2"><div style="font-size: 9pt"> <tt>grep </tt></div> </td> <td colspan="2" rowspan="2"><div style="font-size: 9pt"> Search for a specified text pattern in a specified directory or list of files and display the lines in which the pattern is found.<br> <br> <tt>grep "log file" *<br> </tt>Search all the files in the current directory for the text string <tt>log file</tt>. </div> </td> </tr> <tr> </tr> <tr> <td colspan="1" rowspan="3"><div style="font-size: 9pt"> <tt>less </tt></div> </td> <td colspan="2" rowspan="3"><div style="font-size: 9pt"> Display the contents of a specified file one screen at a time. Use the arrow keys to move up and down through the file.<br> <br> <tt>less myfile<br> </tt>Display the contents of the file <tt>myfile</tt>.<br> <br> <tt>grep "log file" * | less<br> </tt>Search all the files in the current directory for the text string <tt>log file</tt> and use <tt>less</tt> to display the results so you can scroll up and down through them. </div> </td> </tr> <tr> </tr> <tr> </tr> <tr> <td colspan="1" rowspan="3"><div style="font-size: 9pt"> <tt>more </tt></div> </td> <td colspan="2" rowspan="3"><div style="font-size: 9pt"> Display the contents of a specified file one screen at a time. Use the spacebar to move forward through the file a screen at a time; use the Enter key to move forward through the file one line at a time.<br> <br> <tt>more myfile<br> </tt>Display the contents of the file <tt>myfile</tt>.<br> <br> <tt>grep "log file" * | more<br> </tt>Search all the files in the current directory for the text string <tt>log file</tt> and use <tt>more</tt> to display the results so you can view them one screen at a time. </div> </td> </tr> <tr> </tr> <tr> </tr> </table>

Finding and Viewing Files


Command	Example and Explanation
`cat`	Concatenate the contents of files and display the content on the screen. `cat /proc/vmware/mem`Display the contents of the file `/proc/vmware/mem`.
`cat`
`find`	Find files under a specified directory that match conditions you specify. `find / -name myfil`Find files in the root directory and all directories under it that have file names beginning with `myfil`. The `` is a wild-card character that represents any number of characters. The `?` is a wild-card character that represents a single character. `find -name '.vmx' -print -exec chown User2 {} \;`Find all files in this directory and all subdirectories that end with `.vmx`, display the names of all files that are found on the screen and, for each file (indicated by the curly braces — `{}`), change its owner to User2. The `-print` option is not necessary, but it is handy to track the progress of the `find` command. If you do not use `-print`, the `find` command is silent except for error messages from `find` or from `chown`. `find -name '.vmx' -exec grep -il 'SOMETHING' {} \;`Find all files in this directory and all subdirectories that end with `.vmx` and look for the pattern SOMETHING in each of the files. The `-i` option to `grep` makes the search case-insensitive. The `-l` option to `grep` causes `grep` to display the names of the files that have SOMETHING in them. When a file is found that contains SOMETHING, this command displays the full path to the file from the current directory (for example,`./virtualmachines/Linux/RedHat71Test/redhat71.vmx`).



`grep`	Search for a specified text pattern in a specified directory or list of files and display the lines in which the pattern is found. `grep "log file" *`Search all the files in the current directory for the text string `log file`.
`grep`
`less`	Display the contents of a specified file one screen at a time. Use the arrow keys to move up and down through the file. `less myfile`Display the contents of the file `myfile`. `grep "log file" * \| less`Search all the files in the current directory for the text string `log file` and use `less` to display the results so you can scroll up and down through them.


`more`	Display the contents of a specified file one screen at a time. Use the spacebar to move forward through the file a screen at a time; use the Enter key to move forward through the file one line at a time. `more myfile`Display the contents of the file `myfile`. `grep "log file" * \| more`Search all the files in the current directory for the text string `log file` and use `more` to display the results so you can view them one screen at a time.

Managing the Computer and Its Users

The root user or super user (su) can run all of these commands. Some of the commands — generally, those that simply provide information — are available to other users, as well.


Command	Example and Explanation
`apropos`	Find commands with descriptions that include a specified word. Displays the name of the command and the first line of the description. `apropos file`Find commands with descriptions that include the word `file`. `apropos file \| less`Find commands with descriptions that include the word `file` and use `less` to display the results so you can scroll up or down through them.


`du`	Display usage in kilobytes for contents of the current directory or for a specified file or directory. `du /bin`Show how much disk space is used by the `/bin` directory.
`du`
`vdf`	`vdf` is an ESX Server-customized version of the `df` command. Use `vdf` in place of the `df` command. `vdf` works with all the standard `df` options. Displays free space for all mounted file systems. The listing also shows the total space, amount of space used and percentage of space used for each file system.
`fdformat`	Do a floppy disk format. `fdformat /dev/fd0`Format a floppy disk in the first floppy disk drive.
`fdformat`
`groupadd`	Add a new group. `groupadd newgroup`Add a group named `newgroup` to the system.
`groupadd`
`hostname`	Display the system's host name.
`ifconfig`	Display the network interface configuration information for devices used by the service console.
`insmod`	Install a loadable module into the running kernel. `insmod parport`Install the loadable module named `parport` into the running kernel.
`insmod`
`kill`	Kill a specified process. `kill 3456`Kill the process with a process ID of 3456. `kill` `-9` is the surest way to kill a process; however, use it only as a last resort since it will not save editor buffers.
`kill`
`lsmod`	List all loaded modules.
`lspci`	List PCI devices available to the service console. `lspci -v`List PCI devices in verbose mode.
`lspci`
`mount`	Mount a specified storage device at a specified location in the file system. `mount /dev/fd0 /mount/floppy`Mount the first physical floppy drive so its contents are visible in the directory `/mount/floppy`. The directory `/mount/floppy` must already exist.
`mount`
`passwd`	Change your password. `passwd user`Change the password for a user named `user`. You must be logged in as the root user (`su`) to change another user's password.
`passwd`
`ps`	Show names, process IDs and other information for running processes. `ps -ef`Show full (`-f`) information about every (`-e`) running process.
`ps`
`shutdown`	Shut down the computer. `shutdown -h 5`Completely halt (`-h`) the computer in 5 minutes. `shutdown -r now`Shut down and restart (`-r`) the computer immediately.


`umount`	Unmount a specified device. `umount /mount/floppy`Unmount the device currently mounted at `/mount/floppy`.
`umount`
`useradd`	Add a new user to the system. `useradd newuser`Add a new user with a user name of `newuser` to the system.
`useradd`
`who`	Show the user names of all users logged in to the system.
`whoami`	Show what user name you are currently using on the system.

Setting File Permissions and Ownership

Files and directories on the service console can have read, write and execute permissions. Those permissions can be on or off for the owner of the file (generally, the user who created it), the specified group (generally, a group to which the creator belongs) and all other users on the system. Permissions are indicated for each file when you display a long directory listing, as seen in the following sample.

[User@vmwareserver win2000]$ ls -la

total 104

drwxr-xr-x    2 User     User         4096 Jul 17 11:15 .

drwxr-xr-x    5 User     User         4096 Jul 17 09:51 ..

-rw-------    1 User     User         8664 Jul 17 16:17 nvram

-rw-r--r--    1 User     User        77763 Jul 18 14:14 vmware.log

-rwxr-xr--    1 User     User         1307 Jul 17 11:20 win2000.vmx

Notice that in the top two lines of the directory listing, the first character is the letter d. That indicates the listing on the line is for a directory. The single dot at the end of the first line indicates this listing is for the current directory. The two dots at the end of the second line indicate this listing is for the parent of the current directory.

The first character in the last line is a -. This indicates that win2000.vmx is an ordinary file. The word User in the third column indicates the file is owned by a user named User. The word User in the fourth column indicates the file's owner is a member of a group named User.

Permissions for the owner, the specified group and all other users are indicated in the first column: -rwxr-xr--. The owner's permissions are specified first: rwx (read, write and execute). Permissions for other members of the group User are r-x (read and execute). The final cluster of three characters (r--) indicates all other users have permission to read the file but not to write to it or execute it.

You can change permissions for a file using the chmod command, shown in the next table. One convenient way of specifying the permissions you want to set is by using a numerical shorthand.

Read = 4
Write = 2
Execute = 1

Combinations of these permissions are specified by adding the numbers for the permissions you want to set. For example, read and execute is 5. Read, write and execute is 7.

Permissions are specified in the same order as they are shown in the directory listing — owner, group, all other users.


Command	Example and Explanation
`chmod`	Change mode (permissions) for a specified file, group of files or directory. `chmod 755 *.vmx`Set permissions on all files in the current directory that end with `.vmx` to be `-rwxr-xr-x`. `chmod 660 nvram`Set permissions on the file nvram in the current directory to be `-rw-rw----`.


`chown`	Change the owner of a specified file. You can change the owner and the group for a file at the same time. `chown User2 win2000.vmx`Change the owner of the file `win2000.vmx` to User2. `chown User2:VMUsers win2000.vmx`Change the owner of the file `win2000.vmx` to User2 and change the group to VMUsers.


`chgrp`	Change the group for a specified file. `chgrp VMUsers win2000.vmx`Change the group for the file `win2000.vmx` to VMUsers.
`chgrp`

Switching User Names <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr bgcolor="#CCCCCC"> <th><div style="font-size: 9pt"><b> Command </b></div> </th> <th colspan="2" rowspan="1"><div style="font-size: 9pt"><b> Example and Explanation </b></div> </th> </tr> <tr> <td colspan="1" rowspan="2"><div style="font-size: 9pt"> <tt>su </tt></div> </td> <td colspan="2" rowspan="2"><div style="font-size: 9pt"> Switch user. By default, this allows you to log in as the root user if you know the root user's password. You can also use the command to log in as any other user if you know the appropriate user name and password. Enter the command, then enter the password when prompted.<br> <br> <tt>su User2<br> </tt>Log in as User2. </div> </td> </tr> <tr> </tr> <tr> <td><p> <tt>exit</tt> </p></td> <td colspan="2" rowspan="1"><div style="font-size: 9pt"> Log out. If you have used <tt>su</tt> to log in as a different user, this returns you to your previous user name. </div> </td> </tr> </table>

Switching User Names


Command	Example and Explanation
`su`	Switch user. By default, this allows you to log in as the root user if you know the root user's password. You can also use the command to log in as any other user if you know the appropriate user name and password. Enter the command, then enter the password when prompted. `su User2`Log in as User2.
`su`
`exit`	Log out. If you have used `su` to log in as a different user, this returns you to your previous user name.

The proc File System

The proc file system is a set of directories, beginning with /proc, that exist in memory while ESX Server is running. The contents of these directories are not stored on disk.

The /proc/vmware directory contains information specific to the running of the ESX Server virtualization layer in virtual machines. You can use the cat command to check status and use the echo command to write values to certain files in the proc file system to change the configuration of ESX Server.

Note: Most of this information is also available through the VMware Management Interface, and we strongly recommend that you obtain and set information through this management interface. Do not add or change any options in this directory unless you are instructed to by VMware support to solve an issue with ESX Server.

Caution: Do not use the proc interface to set any values other than those mentioned in these sections:

Note: The contents and format of the /proc/vmware directory may change between releases of ESX Server.


/proc/vmware Entry	Description
chipset	State of interrupt controllers.
config	Advanced ESX Server parameters available through the VMware Management Interface.
debug	Debugging information.
filters	Network traffic shaping. See Traffic Shaping with nfshaper.
interrupts	Used, together with chipset, to determine the state of interrupt controllers.
log	VMkernel log output.
loglevels	Amount of debug logging.
mem	Memory parameters. See Memory Resource Management.
migration	Reserved for future use.
net	Configuration and statistics for virtual NICs and bond devices. See .
pci	State of PCI adapters in the system (what they are and how they're partitioned).
procstats	Statistics for the `/proc/vmware` directory.
pshare	Page sharing statistics for memory resource management. See Sharing Memory Across Virtual Machines and Memory Sharing.
rpcstats	Statistics on remote procedure calls (RPCs).
sched	Scheduler statistics on memory and CPU.
scsi	Information on SCSI devices and mappings between storage controllers and virtual machines.
shrdev	Statistics on shared devices.
stats	Counts of various low-level events in ESX Server.
swap	Swap statistics.
thermmon	Thermal monitoring information for each Pentium� 4 processor.
timers	State of ESX Server internal timed event scheduler.
uptime	ESX Server uptime.
vm	Statistics for individual virtual machines by VMID.
vmkperf	Statistics on ESX Server performance.
watchpoints	Statistics for debugging.

Getting Help for Service Console Commands

Detailed usage notes for most service console commands are available as manual — or man — files. To view the manual file — or man page — for a particular command, use the man command followed by the name of the command for which you want to see information.


Command	Example and Explanation
`man`	Displays the manual page for a specified command. Press the spacebar to go to the next screen of text. Press `q` to exit from the display when you are finished. `man cat`Display the manual page for the command `cat`. `man cat \| less`Display the manual page for the command `cat`, and use `less` to display the results so you can scroll up and down through them.

Authentication and Security Features

This section contains the following:

There are three key aspects to security with VMware ESX Server.

VMware ESX Server authenticates all remote users who connect to a server using the VMware Management Interface or the VMware Remote Console.
Security for network traffic to and from the server depends on the security settings in the server configuration.
Three or more TCP/IP ports are used for access, depending on the security settings in your ESX Server configuration.
Depending on your remote access requirements, you may need to configure your firewall to allow access on one or more of these ports. For details on which ports are used, see TCP/IP Ports for Management Access.

Authenticating Users

VMware ESX Server uses Pluggable Authentication Modules (PAM) for user authentication in the remote console and the VMware Management Interface. The default installation of ESX Server uses /etc/passwd authentication, just as Linux does, but it can easily be configured to use LDAP, NIS, Kerberos or another distributed authentication mechanism.

The PAM configuration is in /etc/pam.d/vmware-authd.

Every time a connection is made to the server running ESX Server, the inetd process runs an instance of the VMware authentication daemon (vmware-authd). The vmware-authd process requests a user name and password, then hands them off to PAM, which performs the authentication.

Once a user is authenticated, vmware-authd accepts a path name to a virtual machine configuration file. Access to the configuration file is restricted in the following ways:

The user must have read access to the configuration file to see and control the virtual machine in the VMware Management Interface and to view the virtual machine details pages.
The user must have read access to the configuration file to use the local console on the service console or to connect to the virtual machine with the VMware Perl API.
The user must have read and execute access to the configuration file to connect to and control (start, stop, reset or suspend) a virtual machine in a remote console, with the VMware Perl API or with the management interface.
The user must have read and write access to the configuration file to change the configuration using the Configure VM page in the management interface.

Note: If you have users with list access, but not read access, they may encounter errors in the VMware Management Interface.

If a vmware process is not running for the configuration file you are trying to use, vmware-authd examines /etc/vmware/vm-list, the file where you register your virtual machines. If the configuration file is listed in vm-list, vmware-authd (not necessarily the user who is currently authenticated) starts VMware ESX Server as owner of this configuration file.

Registered virtual machines (those listed in /etc/vmware/vm-list) also appear in the VMware Management Interface. The virtual machines you see on the Status Monitor page must be listed in vm-list, and you must have read access to their configuration files.

The vmware-authd process exits as soon as a connection to a vmware process is established. Each vmware process shuts down automatically after the last user disconnects.

Using Your Own Security Certificates when Securing Your Remote Sessions

The username, password and network packets sent to ESX Server over a network connection when using the VMware Remote Console or the VMware Management Interface are encrypted in ESX Server by default when you choose Medium or High security settings for the server.

With SSL enabled, security certificates are created by ESX Server and stored on the server. However, the certificates used to secure your management interface sessions are not signed by a trusted certificate authority; therefore they do not provide authentication. If you intend to use encrypted remote connections externally, you should consider purchasing a certificate from a trusted certificate authority.

If you prefer, you can use your own security certificate for your SSL connections.

The VMware Management Interface certificate must be placed in /etc/vmware-mui/ssl. The management interface certificate consists of 2 files: the certificate itself (mui.crt) and the private key file (mui.key). The private key file should be readable only by the root user.

When you upgrade the management interface, the certificate remains in place and, in case you removed the management interface, the directory is not removed from the service console.

Default Permissions

When you create a virtual machine with VMware ESX Server, its configuration file is registered with the following default permissions, based on the user accessing it:

Read, execute and write — for the user who created the configuration file (the owner)
Read and execute — for the owner's group
Read — for users other than the owner or a member of the owner's group

TCP/IP Ports for Management Access

The TCP/IP ports available for management access to your ESX Server machine vary, depending on the security settings you choose for the server. If you need to manage ESX Server machines from outside a firewall, you may need to reconfigure the firewall to allow access on the appropriate ports. The lists below show which ports are available when you use each of the standard security settings.

The key ports for use of the VMware Management Interface and the VMware Remote Console are the HTTP or HTTPS port and the port used by vmware-authd. Use of other ports is optional.

High Security

443 - HTTPS, used by the VMware Management Interface
902 - vmware-authd, used when you connect with the remote console
22 - SSH, used for a secure shell connection to the service console

Medium Security

443 - HTTPS, used by the VMware Management Interface
902 - vmware-authd, used when you connect with the remote console
22 - SSH, used for a secure shell connection to the service console
23 - Telnet, used for an insecure shell connection to the service console
21 - FTP, used for transferring files to and from other machines
111 - portmap, used by the NFS client when mounting a drive on a remote machine

Low Security

80 - HTTP, used by the VMware Management Interface
902 - vmware-authd, used when you connect with the remote console
22 - SSH, used for a secure shell connection to the service console
23 - Telnet, used for an insecure shell connection to the service console
21 - FTP, used for transferring files to and from other machines
111 - portmap, used by the NFS client when mounting a drive on a remote machine

Prev Contents Last Next

VMware ESX Server 2.0

Support Resources