VSphere 5 ESXi Operations Guide

VMware ESXi
5.0
Operations Guide
T E CH NI C AL WHI T E PAP E R
VMware ESXi 5.0 Operations Guide
T E C H NI C AL WH I T E PAP E R / 2
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Automation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Installation Destination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
ESXi Scratch Partition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Hardware Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Firmware Upgrades. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Systems Management and Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Patching and Updating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Image Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
ESXi Shell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Local Access and Lockdown Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
ESXi Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
ESXi Firewall CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Diagnostics and Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
VMware ESXi Editions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Introduction
ThehypervisorarchitectureofVMwarevSphere5.0playsacriticalroleinthemanagementofthevirtual
infrastructure.Theintroductionofthebare-metalVMwareESXarchitecturein2001signicantlyenhanced
performanceandreliability,whichinturnenabledcustomerstoextendthebenetsofvirtualizationtotheir
mission-criticalapplications.TheintroductionoftheVMwareESXiarchitecturerepresentsasimilarleap
forwardinreliabilityandvirtualizationmanagement.Lessthan5percentofthefootprintofESX,ESXiruns
independentlyofahostoperatingsystem(OS)andimproveshypervisormanagementintheareasofsecurity,
deploymentandconguration,andongoingadministration.Yetnoneofthiscomesatthecostoffunctionality.
ThispaperdescribesthearchitectureofESXiandthenexplainshowvariousmanagementtasksareperformed
init.ThisinformationcanbeusedtohelpplanamigrationtotheESXiarchitecturefromthelegacyESX
frameworkandtoimproveorenhanceday-to-dayoperations.
Architecture
IntheoriginalESXarchitecture,thevirtualizationkernel(VMkernel)isaugmentedbyamanagementpartition
knownastheconsoleoperatingsystem(COS)orserviceconsole.TheprimarypurposeoftheCOSistoprovide
amanagementinterfacewiththehost.VariousVMwaremanagementagentsaredeployedintheCOS,along
withotherinfrastructureserviceagents(forexample,nameservice,timeservice,logging,andsoon).Inthis
architecture,manycustomersdeployotheragentsfromthirdpartiestoprovideaparticularfunctionality,such
ashardwaremonitoringandsystemsmanagement.Furthermore,individualadministrativeuserslogintothe
COStoruncongurationanddiagnosticcommandsandscripts.
Hardware
Monitoring
Agents
System
Management
Agents
VMware
Management
Agents
CLI Commands
for Conguration
and Support
Infrastructure
Agents
(NTP, Syslog)
Service console
VMkernel
Virtual Machine
Support and Resource
Management
VM VM VM
Architecture of ESX
Figure 1.ArchitectureofVMwareESX
IntheESXiarchitecture,theCOShasbeenremoved,andalloftheVMwareagentsrundirectlyontheVMkernel.
InfrastructureservicesareprovidednativelythroughmodulesincludedintheVMkernel.Otherauthorizedthird-
partymodules,suchashardwaredriversandhardwaremonitoringcomponents,canrunintheVMkernelaswell.
OnlymodulesthathavebeendigitallysignedbyVMwareareallowedonthesystem,creatingatightlylocked
downarchitecture.PreventingarbitrarycodefromrunningontheESXihostgreatlyimprovesthesecurityand
stabilityofthesystem.
VMkernel
Local Support Consoles
CLI Commands for
Conguration
and Support
Agentless
Systems
Management
VMware
Management
Framework
Infrastructure
Agents
(NTP, Syslog)
Virtual Machine
Support and
Resource
Management
Common
Information
Model
Agentless
Hardware
Monitoring
VM VM VM
Figure 2.ArchitectureofVMwareESXi
Management
ThemanagementfunctionalitythatwasprovidedbyagentsintheESXarchitectureisnowexposedviaAPIsin
theESXiarchitecture.Thisenablesanagentlessapproachtohardwaremonitoringandsystemsmanagement.
VMwarealsocreatedremotecommand-lineinterface(CLI)tools,suchastheVMwarevSphereCommand-Line
Interface(vSpherevCLI)andVMwarevSpherePowerCLI(vSpherePowerCLI),toprovidecommandand
scriptingcapabilitiesinamorecontrolledmanner.Theseremotecommand-linesetsincludeavarietyof
commandsforconguration,diagnosticsandtroubleshooting.Forlow-leveldiagnosticsandforinitial
conguration,amenu-drivenandcommand-lineinterfaceisavailableonthelocalconsoleoftheserver.In
addition,alocalversionoftheesxclicommandsetisaccessibledirectlyfromthehostslocalshell,referredto
astheESXiShell.Thesearediscussedinmoredetailinthefollowingsections,whichalsodiscussindividual
managementtopicsanddescribehowtasksareperformedintheESXiarchitecture.
Service Console (COS)
Management Agents Agentless vAPI-Based
Agentless CIM-Based
vCLI, PowerCLI
Local Support Console
CIM API vSphere API
Native Agents:
hostd, vpxa, NTP,
Syslog, SNMP, etc.
Hardware Agents
Commands for
Conguration and
Diagnostics
Infrastructure
Service Agents
Classic VMware ESX VMware ESXi
Figure 3.NewandImprovedParadigmforVMwareESXManagement
Automation
ToautomatethemanagementofanESXideployment,VMwarehascreatedeasy-to-useCLItools.Userscan
employthemtowritescriptsthatprovidethesamefunctionalityastheVMwarevSphereClienttoautomate
manualtasks,enablingefcientmanagementandcongurationofsmall-tolarge-scaleenvironments.TheseCLI
toolsworkwellwithbothESXiandESXhosts,empoweringuserstoadministermixedenvironmentseasily.
vSpherePowerCLIisarobust,Windows-basedCLItoolforautomatingallaspectsofvSpheremanagement,
includinghost,network,storage,virtualmachine,guestOSandmore.ItisdistributedasaWindowsPowerShell
snap-in.WindowsPowerShellisascriptingtoolwrittenbyMicrosoftanddesignedforthesystemsadministrator.
vSpherePowerCLIincludesmorethan300PowerShellcmdlets,alongwithbuilt-indocumentationandsamples.
ItseamlesslyblendsthevSphereplatformwithWindowsand.NET,whichmeansuserscanutilizeitbyitselfor
withinmanydiferentthird-partytools.
vSpherevCLIisaseparatesetofCLItoolsthat,likevSpherePowerCLI,canbeusedtoperformremote
managementofESXandESXihosts.WhereasvSpherePowerCLIisveryWindows-centric,vSpherevCLIhasa
moreLinux-likelookandfeelandtargetsnon-Windowsusers.VMwareprovidesvCLIpackagesforinstallation
onbothWindowsandLinuxsystems.vCLIisalsopackagedaspartoftheVMwarevSphere5.0Management
Assistant(vMA),aLinux-basedvirtualappliancethatpackagesthevCLItogetherwithothertoolstofacilitate
deploymentanduseofthevCLI.
WhereasvSpherePowerCLIisbuiltontopofWindowsPowerShellandiscomposedofacollectionof
PowerShellcmdlets,vSpherevCLIisacombinationofthefollowingseparatecommand-linetools:
esxcli
vmkfstools
vmware-cmd
resxtop
vicfg-*
InESXi5.0,mostofthevCLIcommand-linetoolsarethesameasinearlierESX/ESXireleases,withthe
exceptionoftheesxclicommand.InESXi5.0,theesxclicommandhasbeenenhancedandisnowavailable
bothlocallyfromtheESXiShellandremotelythroughthevCLI.Thenewesxclicommandmarksthebeginning
ofVMwareefortstostandardizeonasinglecommand-lineinterfaceforbothlocalandremoteadministration.
Figure 4.esxcliaStandardizedCommand-LineInterface
Theimprovedesxclicommandprovidesanintuitiveinterfacethatenablesreal-timediscoveryofcommand
syntax.Whereasthecommandstructureissimilarinlook-and-feeltoitsvSphere4.xpredecessor,thenew
esxclicommandhasanimprovedsyntaxthathasbeenextendedtoincludeadditionalfunctionalitynot
availableinearlierversions,suchastheabilitytocongurenetworkpoliciesandsecuritypolicies,manageVIBs,
andcongureandmanagetheESXirewall.
Thevicfg-familyofcommands,introducedinthevCLIinvSphere4.0,isstillavailableinvCLI5.0,butmostof
thesecommandsareplayeddowninfavoroftheesxcliequivalent.Thefollowingvicfgcommandsdonot
haveanesxcliequivalentinvSphere5.0:
vicfg-authconfg
vicfg-cfgbackup
vicfg-hostops
vicfg-ipsec
vicfg-ntp
vicfg-route
vicfg-snmp
vicfg-user
vifs
Allothervicfgcommandsshouldbeavoidedinfavoroftheiresxcliequivalents,whicharelistedinthevSphere
Command-Line Interface Concepts and Examples document,partofthevSphere5.0documentationset.
Aswaspreviouslymentioned,theesxclicommandisavailableoneachESXihostviatheESXiShell,inaddition
tobeingavailableaspartoftheoptionalvCLIpackagethatcanbeinstalledonanysupportedWindowsorLinux
server(orthroughthevMA).
esxcli connect options namespace cmd options
Figure 5.esxcliCommandStructure
InadditiontoprovidingaconsistentlookandfeelforbothlocalandremoteCLIadministration,thenew
esxclicommandprovidestheabilitytoformatthecommandoutput.Usingthe--formatteroption,
administratorscanchoosetohavethecommandoutputformattedasXML,akey-valuepairoralistofcomma-
separatedvalues.Theesxcliformatterenhancesusersabilitytoparsecommandoutput,helpingtosimplify
scriptingandimprovereportgeneration.
BothvSpherePowerCLIandvSpherevCLI(includingesxcli)arebuiltonthesameAPIsasthevSphereClient.
TheycanbeconnecteddirectlytoanESXihostortoVMwarevCenter.Whenconnectedtoahost,theycan
executecommandsdirectlyonanESXihost,similarlytohowacommandintheCOSofESXoperatesononly
thathost.Localauthenticationisrequiredinthiscase.Alternatively,whencommunicatingthroughvCenter,the
vSpherevCLIandvSpherePowerCLIcommandsbenetfromthesameauthentication(forexample,Microsoft
ActiveDirectory)rolesandprivilegesandeventloggingasvSphereClientinteractions.Thisprovidesforamuch
moresecureandauditablemanagementframework.
Thefollowingtablecontainsdiferentcategoriesofoperationalproceduresandthepreferredtoolforeach
category.Wehaveratedeachtoolpertasktoclassifythelevelofexpertiserequired:
TASK vCLI /vMA POWERCLI
Reporting Normal Easy
Monitoring Hard Normal
Conguration Easy Easy
Automation Normal Easy
Troubleshooting Easy Hard
Table 1.EaseofOperationalTasks
Althougheachofthetoolscanbeusedtoaccomplishagiventask,theprecedingtablecanbeusedasan
indicationofwhichtoolswouldbestmeetausersrequirements.
InstallationDestination
WhenplanningtheimplementationoformigrationtoESXi,oneoftherstdecisionsthatmustbemade
concernsthetypeofinstallationdestinationtobeused.TheformfactorofESXienablesittobeinstalledon
multiplediferentinstallationdestinationtypes,includingthefollowing:
Local disk (including SSD)
Removable media
USB
SD
Boot from SAN
FC
iSCSI
Diskless PXE boot
Localdisksareapopularinstallationdestination.Localdiskinstallationshaveanadvantageoverremovable
devicesbecauseusersareabletoprovidealevelofresiliencytoprotectagainstdiskfailure.Resiliencyrefersto
theabilitytoruntwolocaldisksinRAID-1.AlthoughESXirunsinthehostmemory,itroutinelywritesits
congurationtothebootdisk(every10minutesbydefault)toensurechangeswillpersistfollowingahost
reboot.Inthecaseofbootmediafailure,theseupdatesmightbeatrisk,possiblyresultinginalossof
congurationchanges.Havingaresilientbootdevicehelpseliminatetherisk.
RemovabledevicessuchasUSBandSDarealsopopularESXiinstallationdestinationsduetotheexibilityand
costfactorsassociatedwiththem.Thesedevicestypicallyhaveashorterlifespanthanharddisksandtherefore
imposeaminorrisk.However,hardwarevendorshavefoundasolutionthatincreasesresiliencybyoferinga
dual-SDmoduleconguration.Andmanycustomershavefurthermitigatedtheriskbyusingenterprise-grade
USB/SDmodulesandkeepingseveralofthemonhand.VMwaresupportsremovabledevicesonlyunderoneor
moreofthefollowingconditions:
The server on which a user wants to install VMware ESXi 5.0 is in the VMware ESXi 5.0 Hardware Compatibility
List(HCL).
A user has purchased a server with VMware ESXi 5.0 embedded on the server from a certifed vendor.
A user has utilized a USB or SD Flash device that is approved by the server vendor for the particular server
modelonwhichtheywanttoinstallVMwareESXi5.0onaUSBorSDFlashstoragedevice.
AsofvSphere4.1,supportforbootfromSANbothFCandiSCSIhasalsobeenincluded.BootfromSANgives
usersresiliencyandenablesthemtoleveragetheexibilityofadisklessserverwhilestillprovidingthemwiththe
optiontodoascriptedinstallation.BootingfromSANrequiresusingasupportedstoragedeviceandadapter.
ConsultthevSphere Storage/SAN Compatibility Guideforinformationonsupportedstoragecomponents.
DisklessPXEbootisintroducedwithvSphere5.0aspartofVMwarevSphereAutoDeploy.UsingAutoDeploy,
experiencedsystemsadministratorscanmanagelargedeploymentsefciently.Unliketheotherinstallation
options,AutoDeploydoesnotstoretheESXiimage,itscongurationoritsstateondisk.Instead,stateis
managedthroughVMwarevCenterServer.TheESXiimageproleisdirectlyloadedintomemoryoverthe
network,andthehostisconguredusinghostproles.AutoDeployenablesagreatdealofexibilityin
changingtheidentityofaphysicalserver.Italsoenablesaveryagileupdatemanagement.WithAutoDeploy,
updatingahypervisorisassimpleasupdatingthehostsimageproleandrebootingthehost.Eachtimethe
hostreboots,afreshESXiimagewillbereloaded,whichalsohelpseliminatecongurationdiscrepancy
betweenhosts.AutoDeploydoesrequireaninitialinvestmentintermsofknowledge,architectureand
implementationtasks.
Eachtypeofinstallationmediahasitsbenets.Dependingontheenvironment,allmediashouldbeconsidered.
Basedonrequirementsandconstraintsregardingbudget,licensingandarraycapabilities,adecisionmustbe
madeonaper-casebasis.Generallyspeaking,usinglocaldisksisthemostcompellingoptionbecauseit
providesimprovedresiliencyincomparisontoUSB/SD,anditisrelativelyinexpensiveincomparisontoboot
fromSAN.Forlargeenvironments(20+hosts)werecommendtestingAutoDeploy.AutoDeployofersahighly
exibleandagilesolutionandcanreducetheamountofoperationalefortassociatedwithmanagingand
maintainingESXihosts.
ESXiScratchPartition
AnimportantconsiderationwhenchoosingthetypeofbootdeviceforESXihostsisthelocationoftheESXi
scratchpartition.Thescratchpartitionisa4GBregionusedbyESXitostoreloglesandcoredumps,aswellas
astagingareaforupdatesandothertemporaryles.DuringtheESXiinstallation,theinstallerwillattemptto
allocatea4GBregionofdiskfromalocaldiskforthescratchpartition.Ifnolocaldiskisavailable,thescratch
partitionwillbecreatedonaRAMdiskinthehostsmemory.Itsimportanttonotethatbecausethescratch
partitionisanareaofheavywriteI/O,placingitonaUSB/SDdeviceisnotallowed.Wheninstallingonahost
withnolocaldatastores(i.e.,bootfromUSB/SD),itsimportantthatfollowingtheESXiinstallation,users
manuallyrecongurethescratchpartitiontoresideonapersistentdatastore.
Figure 6.ConguringtheScratchPartition
Deployment
VariousdeploymentmethodsaresupportedforESXi,suchasbootingtheinstallerofofaDVDoroverPXE,and
deployingtheESXiimageontoalocaldiskoverthenetworkusingavarietyofprotocols,includingsecureHTTP.
VMwareESXi5.0enablesuserstodoascriptedinstallationoftheESXisoftwareontothelocaldiskofaserver,
analogoustothekick-startmechanismusedforESXarchitecture.Thescriptedinstallationcongurationle
(typicallynamedks.cfg)canalsospecifythefollowingscriptstobeexecutedduringtheinstallation:
Preinstall
Postinstall
First-boot
ThesescriptsarerunlocallyontheESXihostandcanperformvarioustasks,suchasconguringthehosts
virtualnetworkingandjoiningittovCenterServer.ThesescriptscanbewrittenusingeithertheESXiShell
orPython.
InESXi5.0,bootfromSANissupportedonFibreChannelSAN,aswellasiSCSIandFCoEforcertainstorage
adaptersthathavebeenqualiedforthiscapability.
VMwareESXi5.0isstillavailablepreinstalledonFlashdrivesoncertainservermodelsavailablefromanumber
ofhardwareOEMvendors.(ConsulttheserverHCLtodeterminewhichcombinationsofserverandUSBorFlash
drivearesupported.)
Asstated,withvSphere5.0,VMwarehasaddedscriptedinstallationcapabilitiestoESXi.Abasicscripted
CD-ROMbasedinstallentailsthefollowingprocedure:
1. Boot from the ESXi CD-ROM.
2. Press Tab when the VMware VMvisor Boot Menu is displayed.
3. Edit the string so it includes the location of the script:
> mboot.c32 c boot.cfg ks=http://<ip-address>/ks.cfg
T E C H NI C AL WH I T E PAP E R / 1 0
ThestringhaschangedcomparedtovSphere4.1.The<ip-address>shouldbereplacedwiththeip-addressof
theWebserverhostingthecongurationle.Theks.cfgcongurationlecanalsobelocatedonothertypesof
mediasuchasCD-ROMoranFTPserver.Formoredetails,refertotheVMware vSphere 5.0 ESXi Installable and
vCenter Server Setup Guide.
ItisalsopossibletoPXEboottheVMwareESXiinstaller.ThishoweverrequiresaTFTPserverthatsupportsPXE
boot,gPXEandamodicationtotheDHCPservertoallowtheDHCPservertosendthehostthecorrectTFTP
andPXEinformation(DHCPoptions66and67).Formoredetails,refertotheVMware vSphere 5.0 ESXi
Installable and vCenter Server Setup Guide,wherethisprocedureisfullydocumented.
WhenusingaPXEmechanismtofacilitatetheinstallationoraCD-ROM,ananswerscriptisrequired.Thescript
followsastandardizedformattosupplytheinstallerwiththecorrectparameters.Thefollowingexample
includesanactionontherstboot,todemonstratetheconsiderablecapabilitiestheESXiinstallerofers.Before
usingascriptinaproductionenvironment,itisrecommendedtoextensivelytestandvalidateitinanisolated
environment.WithvSphere5.0,manyofthescriptedinstallationandupgradecommandseitherhavebeen
replacedordeletedorarenotsupportedanymore.Formoredetails,refertotheVMware vSphere 5.0 ESXi
Installable and vCenter Server Setup Guide,wherethesecommandsarefullydocumented.
# Sample scripted installation fle
# Accept the VMware End User License Agreement
vmaccepteula
# Set the root password for the DCUI and Tech Support Mode
rootpw mypassword
# Install on the frst local disk available on machine
install --frstdisk --overwritevmfs
# Set the network to DHCP on the frst network adapater, use the specifed hostname and do
not create a portgroup for the VMs
network --bootproto=dhcp --device=vmnic0 --addvmportgroup=0
# reboots the host after the scripted installation is completed
reboot
%frstboot --interpreter=busybox
# Add an extra nic to vSwitch0 (vmnic2)
esxcli network vswitch standard uplink add --uplink-name=vmnic2 --vswitch-name=vSwitch0
# Assign an IP-Address to the frst VMkernel, this will be used for management
esxcli network ip interface ipv4 set --interface-name=vmk0 --ipv4=192.168.1.41
--netmask=255.255.255.0 --type=static
# Add vMotion Portgroup to vSwitch0, assign it VLAN ID 5 and create a VMkernel interface
esxcli network vswitch standard portgroup add --portgroup-name=vMotion --vswitch-
name=vSwitch0
esxcli network vswitch standard portgroup set --portgroup-name=vMotion --vlan-id=5
esxcli network ip interface add --interface-name=vmk1 --portgroup-name=vMotion
esxcli network ip interface ipv4 set --interface-name=vmk1 --ipv4=192.168.2.41
--netmask=255.255.255.0 --type=static
# Enable vMotion on the newly created VMkernel vmk1
vim-cmd hostsvc/vmotion/vnic_set vmk1
# Add new vSwitch for VM trafic, assign uplinks, create a portgroup and assign a VLAN ID
esxcli network vswitch standard add --vswitch-name=vSwitch1
esxcli network vswitch standard portgroup add --portgroup-name=Production --vswitch-
name=vSwitch1
esxcli network vswitch standard portgroup set --portgroup-name=Production --vlan-id=10
# Set DNS and hostname
esxcli system hostname set --fqdn=esxi5.localdomain
esxcli network ip dns search add --domain=localdomain
esxcli network ip dns server add --server=192.168.1.11
esxcli network ip dns server add --server=192.168.1.12
# Set the default PSP for EMC V-MAX to Round Robin as that is our preferred load
balancing mechanism
esxcli storage nmp satp set --default-psp=VMW_PSP_RR --satp=VMW_SATP_SYMM
# Enable SSH and the ESXi Shell
vim-cmd hostsvc/enable_ssh
vim-cmd hostsvc/start_ssh
vim-cmd hostsvc/enable_esx_shell
vim-cmd hostsvc/start_esx_shell
ThisexamplescriptshowshowtoautomatetheinstallationofanESXihost,includinghowtocongureadditional
vSwitches,portgroupsincludingVLANIDsandhowtochangethedefaultpathselectionplugin(PSP).
ThemajorchangewithESXi5.0comparedtoESXi4.1andpriorisesxcli.Theesxclicommandhasbeen
enhancedwithmanynewparameters(namespaces)andenablesalmosteverycongurationoptionavailable
today. There are, however, still a few exceptions. In these cases, familiar commands such as vicfg-*, vmware-
cmd,vim-cmdandvmkfstoolscanbeused.
Itisimportanttorecognizethediferencebetweenthe%pre,%postand%rstboot.Inourexample,wehave
usedonly%rstbootbecausethatismostcommonwhenconguringESXihosts.Itisexecutedduringtherst
bootaftertheinstallerhascompleted.Thefollowingdiagramdepictstheprocessofascriptedinstallation
whereboththe%postand%rstbootsectionsareused:
Boot installer
Standard ks.cfg
Reboot
%rstboot
%post
%pre
Finish
Figure 7. ScriptedInstallationProcess
Both%preand%postaremostcommonlyusedwhenthereisarequirementtodownloaddriverpackagesorto
makechangesbeforetheactualconguration.Forinstance,duringthe%post,adriverpackagemightbe
downloadedtoalocaldatastore,usingwget.Thispackagemightbeinstalledduringthe%rstbootphase.In
ourexample,thedriversmustbeavailableonlocaldiskduringthe%rstbootphasetobeabletoinstallthem.
Thefollowingisanexampleofhowtoimplementthis:
%post
# download drivers to local volume
wget http://192.168.1.100/network.zip -O /vmfs/volumes/datastore1/network.zip
%frstboot
# install drivers that were downloaded
/sbin/esxcli software vib install --depot=/vmfs/volumes/datastore1/network.zip
--vibname=<name of .VIB to install>
Dependingonthescenario,itisalsopossibletodownloadandinstalldriversduringthe%rstbootphase.
%frstboot
/sbin/esxcli software vib install --depot=https://192.168.1.100/network.zip
--vibname=<name of .VIB to install>
Asdemonstrated,therearemanywaystocongureanESXihostortoinstalladditionaldriversandpackages
whenrequired.Wehaveyettofaceaproblemthatcouldnotberesolvedbythevariouscommand-linetoolsand
APIs.WerefertotheVMwareVMTNCommunityforsamplescripts.
HardwareMonitoring
TheCommonInformationModel(CIM)isanopenstandardthatdenesaframeworkforagentless,standards-
basedmonitoringofhardwareresourcesforESXi.ThisframeworkconsistsofaCIMobjectmanager,oftencalled
aCIMbroker,andasetofCIMproviders.
CIMprovidersarethemechanismsthatprovidemanagementaccesstodevicedriversandunderlyinghardware.
Hardwarevendors,includingservermanufacturersandspecichardwaredevicevendors,canwriteprovidersto
supplymonitoringandmanagementoftheirparticulardevices.VMwarealsowritesprovidersthatimplement
monitoringofserverhardware,ESXistorageinfrastructureandvirtualization-specicresources.Theseproviders
runinsidetheESXisystemandaredesignedtobeextremelylightweightandfocusedonspecicmanagement
tasks.TheCIMbrokertakesinformationfromallCIMprovidersandpresentsittotheoutsideworldviastandard
APIs,themostcommononebeingWS-MAN.AnysoftwaretoolcompatiblewithoneoftheseAPIs,suchasHP
SIMorDellOpenManage,canreadthisinformation,monitoringthehardwareoftheESXihost.
OneconsumeroftheCIMinformationisvCenter.ThroughadedicatedtabinthevSphereClient,userscanview
thehardwarestatusofanyESXihostintheirenvironment,providingasingleviewofthephysicalandvirtual
healthoftheirsystems.UserscanalsosetvCenteralarmstobetriggeredoncertainhardwareevents,suchas
temperatureorpowerfailureandwarningstates.
Figure 8. HardwareMonitoringinVMwarevCenterServer
ESXialsoexposeshardwarestatusinformationviaSNMPforothermanagementtoolsthatrelyuponthat
standard.SNMPtrapsareavailablefromboththeESXihostandvCenter.VMwareESXi5.0supportsSNMPv2,
anditcanbeconguredusingthevSpherevCLIcommandvicfg-snmporusingtheSet-VMHostSNMP
cmdletinvSpherePowerCLI.
VMwareESXi5.0addsthecapabilitytoconvertCIMindicationstoSNMPtraps.Usersshouldcheckwiththeir
hardwarevendortoseewhetheritsCIMprovidersupportsthisfunctionality.Inaddition,ESXi5.0nowsupports
theHostResourcesMIB(RFC2790)andenablesnercontroloverthetypesoftrapssentbytheSNMPagent.
FirmwareUpgrades
Upgradingrmwareonanyplatformisacumbersometask.Historically,customerswhohaveusedtheCOShave
upgradedthermwarewithtoolsprovidedbytherespectivevendor.WithESXi,thatapproachwillnolonger
work,duetotheabsenceoftheCOS.Firmwareupgrades,however,stillmustbeappliedperiodically.The
followingoptionsexisttosolvethisproblem:
1. Hardware vendor vCenter plug-in or management application
2. Hardware vendor bootable upgrade CD-ROM/DVD
3. PXE boot of vendors upgrade CD-ROM/DVD
4. PXE boot of small Linux distribution
Severalhardwarevendorsprovidemanagementplug-insforvCenterServerthatenableuserstomanage
rmwareupgradesfromwithinthevSphereClient.Theseplug-insfrequentlyoferreportingcapabilitiesthat
reducethechancesofinconsistencyacrossthevirtualinfrastructure.Largeenvironmentstypicallyusea
centralizedmanagementapplicationtomanagehardwareendtoend,whichalsoincludesthecapabilitiesto
upgradermware.
ManyvendorsoferabootableCD-ROM/DVDthatcontainsallrequireddriversandrmwarecode.Theseare
typicallycategorizedperservermodelandcanbeusedtobootahostfromandmanuallyupgradethe
appropriatedevices.Thissolutiontypicallyisusedinenvironmentsofupto10hosts.Forlargerenvironments,
wehavefoundthatusingaPXEbootcongurationinconjunctionwiththevendor-providedupgradedCD-ROM/
DVDcanbeaexiblealternative.Theoveralltransfersizeofthetotalpackagemightbeaconstraint.
Findingauniedsolutiontomanagermwareandpatchesinanenvironmentwheremultipletypesofhardware
fromdiferentvendorsareusedcanbeachallenge.Creatingacustom,slimmed-downLinuxappliancethat
identiesthehardwarecongurationandupdatesthermwareaccordinglycansolvethisproblem.Solutions
suchasthesetypicallyuseaPXEbootcongurationwithacentralrepositoryforthediferenttypesofrmware
forthisenvironment.Thisdoesrequireextensiveknowledgeofthevariouscomponentsandasubstantialefort
withregardtodevelopment,butitultimatelyleadstoahighlyexibleandscalablesolutionthatenablesusersto
updateanyofthehardwarecomponents.
Weadvisemanagingthermwarelevelconsistentlyandfollowingthehardwarevendorsrecommendations,to
avoidrunningintoanyinterdependencyissues.Wealsorecommendthatwhenusersareacquiringnew
hardware,theylookintothelevelofintegrationandthemechanismsthatcanbeleveragedaroundmanaging
theirhardware.Especiallyinconverged,sharedplatforms,availabilityandmanageabilityarekeytothesuccess
ofanITdepartment.
SystemsManagementandBackup
SystemsmanagementandbackupproductsintegratewithESXiviatheVMwarevSphereAPIs.TheAPI-based
partnerintegrationmodelsignicantlyreducesmanagementoverheadbyeliminatingtheneedtoinstalland
manageagentsintheCOS.
VMwarehasworkedextensivelywithourecosystemtotransitionallpartnerproductstotheAPI-based
integrationmodelofESXi.Asaresult,BMC,CA,HP,IBM,EMC,NetIQ,QuestSoftware,Commvault,Vizioncore,
Double-TakeSoftware,SteelEyeandSymantecareamongthemajorityofsystemsmanagementandbackup
vendorsintheVMwareecosystemthathaveproductsthatsupportESXitoday.Usersemployinganagent-based
partnersolutiontointegratewithESXshouldcheckwiththeirvendortoseeifanewerversionoftheproduct
supportsESXi.
VMwarealsoincludesbackupcapabilitywiththevSphereproductsuite.VMwareDataRecoveryisarobust,
easy-to-deploybackupandrecoverysolutionthatbusinessesshouldconsidertoprovidetherstlineofdata
protectionfortheirvirtualenvironment.
VMwareDataRecoveryenables:
Full image backup of virtual machines
Full and incremental recovery of virtual machines, plus recovery of individual fles and directories
PatchingandUpdating
ThepatchingandupdatingofESXienableexibilityandcontrol.Duringthepatchingprocess,onlythespecic
modulesbeingupdatedarechanged.Theadministratorcanpreserveanypreviousupdatestoother
components.WhetherinstalledondiskorinembeddedFlashmemory,ESXiemploysadual-imageapproach,
withboththecurrentandpriorversionpresent.Whenapatchisinstalled,thenewimageisconstructedand
overwritesthepriorimage.Thecurrentversionbecomesthepriorversionandthesystembootsofthenewly
writtenimage.Ifthereisaproblemwiththeimage,oriftheadministratorwantstoreverttothepriorone,the
hostissimplyrebootedoftherecent,goodimage.
Install Patch
Construct and Write New
Image to Current Image
Copy Current Image to
Prior Image
Figure 9.WorkowforInstallingPatches
VMwarevCenterUpdateManagerisavCenterplug-inpatch-managementsolutionforvSphere.Itenables
centralized,automatedpatchandversionmanagementforvSphere.ItoferssupportforESXandESXihosts,
virtualmachinesandvirtualappliances,enablingadministratorstomaketheirvirtualinfrastructurecompliant
withbaselinestheydene.UpdatesthatusersspecifycanbeappliedtoESXandESXihosts,virtualmachines
andvirtualappliancesthatcanbescanned.WithUpdateManager,userscanperformthefollowingtasks:
Scan for compliance and apply updates for guests, appliances and hosts
Directly upgrade hosts, virtual machine hardware, VMware Tools and virtual appliances
Install and update third-party software on hosts
UpdateManager5.0enablesuserstoapplyofinebundlepatches.Thesearepatchesthataredownloaded
manuallyfromaVMwareorthird-partyWebsite,nothostedinanonlinedepot.Thisisespeciallyrelevantto
ESXi,becausemanyimportantcomponents,suchasthird-partydriverupdatesandCIMproviderupdates,are
oftendistributedonlyasofinebundles.
AnalternativetoUpdateManageristhevCLIcommandesxclisoftware.Thiscommandappliessoftware
updatestoESX/ESXiimages,andinstallsandupdatesESX/ESXiextensionssuchasVMkernelmodules,drivers
andCIMproviders.UnlikeUpdateManager,esxclisoftwareworksonlyonanindividualhostanddoesnot
monitorforcompliancetobaselines.However,itdoesnotrequirevCenterServertofunction.
vSpherePowerCLIalsoofersasimilarsolutiontoesxclisoftwarewiththeInstall-VMHostPatchcmdlet.This
cmdletcanbeusedtoinstallhostpatcheslocatedlocally,fromaWeblocationorinahostlesystem.Itworks
onlyonanindividualhostanddoesnotmonitorforcompliancetobaselines.ItalsodoesnotrequirevCenter
Servertofunction.
Table2presentsasummaryofESXipatchingandupdatingoptions.
PATCHI NG AND
UPDATI NG TOOL
WHEN TO USE
VMwarevCenter
UpdateManager
UsewhenhostsaremanagedbyvCenterServer.UpdateManagerisintegratedwith
vCenterServerandprovidesasinglepaneofglass.
Usewhenmonitoringforcomplianceagainstpatchingbaselinesisrequired.
UsewhencoordinationwithhostmaintenancemodeisneededforvSphere
DistributedResourceScheduler(DRS)toperformanorderlyevacuationofvirtual
machinesfromexistinghosts.
esxclisoftware Useforone-ofhostupgrades.
UseinremotesituationsinwhichvCenterServerisnotaccessible.
UsewhenESXandESXihostsarenotmanagedbyvCenterServer.
Install-VMHostPatch
PowerCLIcmdlet
Useforone-ofhostupgrades.
UseinremotesituationsinwhichvCenterServerisnotaccessible.
UsewhenESXandESXihostsarenotmanagedbyvCenterServer.
Useaspartofscriptedsolutions.
Table 2.ConsiderationsforPatchingandUpdateTool
ImageBuilder
vSphere5.0introducestheESXiImageBuilderCLI,aPowerShellsnap-in(setofcommands)thatenablesusers
tocustomizeESXiimages.WiththeImageBuilderCLI,userscancreateESXiinstallationimageswitha
customizedsetofupdates,patchesanddrivers.TheESXiinstallationimagecomprisesaseriesofseparately
packagedsoftwarecomponentsreferredtoasVMwareInstallationBundles(VIBs).WhenanESXihostis
installed,theinstallerformatsthebootdeviceandextractstheVIBsoftheinstallationmediaontotheboot
device.AftertheVIBshavebeenextracted,thehostbootsandthehypervisorisloaded.Therewasachallenge
withESXiversionspriorto5.0anytimeanadministratorneededtoupdatetheESXiinstallationimagetoaddor
modifyoneoftheVIBcomponents(toaddnewdevicedriversforanewnetworkadaptor,forexample).In
vSphere5.0,theImageBuilderCLIaddressesthisgapbyprovidinguserswiththeabilitytocustomizetheirESXi
installationimages.
UsingtheImageBuilderCLI,customersplacetheESXiVIBsintocollectionsreferredtoassoftwaredepots.The
administratorthenusestheImageBuilderPowerCLItocombinetheVIBsfromtheseparatedepotstogether
withthedefaultESXiinstallationimagetocreateacustomimageprolethatcanthenbeusedtoinstalltheir
ESXihosts.Multipledepotsandimageprolescanbemaintained.Forexample,aseparateimageprolecanbe
createdforinstallingESXionrackmountedserverswhileanotherseparateimageproleisusedforinstalling
ESXionbladeservers.
UserAuthentication
Althoughday-to-dayoperationsaredoneonvCenter,thereareinstanceswhenusersmustworkwithESXi
directly,suchaswithcongurationbackupandlogleaccess.Tocontrolaccesstothehost,customerscanhave
localusersonanESXisystem.WithESXi5.0,customerscancongurethehosttojoinanActiveDirectory
domain,andanyusertryingtoaccessthehostwillautomaticallybeauthenticatedagainstthecentralizeduser
directory.Customerscanalsohavelocalusersdenedandmanagedonahost-by-hostbasisandcongured
usingthevSphereClient,vCLIorPowerCLI.Thissecondmethodcanbeusedinplaceof,orinadditionto,the
ActiveDirectoryintegration.
Userscanalsocreatelocalroles,similartovCenterroles,thatdenethingsthattheuserisauthorizedtodoon
thehost.Forinstance,ausercanbegrantedread-onlyaccess,whichallowsthemonlytoviewhostinformation.
Ortheycanbegrantedadministratoraccess,whichallowsthembothtoviewandtomodifyhostconguration.
IfthehostisintegratedwithActiveDirectory,localrolescanalsobegrantedtoActiveDirectoryusersand
groups.Forexample,anActiveDirectorygroupcanbecreatedtoincludeuserswhoshouldhavean
administratorroleonasubsetofESXiservers.Onthoseservers,theadministratorrolecanbegrantedtothat
ActiveDirectorygroup.Forallotherservers,thoseuserswouldnothaveanadministratorrole.IfanAD
administratorcreatesagroupwiththenameVMwareESXAdmins,ESXi5.0automaticallygrantsadministrator
accesstothisgroup,enablingthecreationofaglobaladministratorsgroup.Thisoperationcanbeoverriddenon
individualESXihostsbyassigningthenoaccessroletothegroupESXAdmins.
Theonlyuserdenedbydefaultonthesystemistherootuser.Theinitialrootpasswordistypicallysetusingthe
directconsoleuserinterface(DCUI).ItcanbechangedafterwardusingthevSphereClient,vCLIorPowerCLI.
Therootuserisdenedonlylocally.Inotherwords,ActiveDirectorydoesnotmanagetherootpassword.Itis
possibletoexcludetherootuseraccessbyenablingLockdownMode.Thisisaddressedinalatersectionof
thispaper.
Logging
AsofvSphere5.0,ESXihostloggingismanagedthroughthesyslogfacility,includingvSphereHighAvailability
(VMwareHA)logs.HostlogscanalsobedownloadedfromthehostbyusingtheExportDiagnosticData
vSphereClientoption
TheESXiloglestructureisdiferentfromthatofESX.Becausethereisnoserviceconsole,thereisalsononeed
tohavethesamecollectionofles.WithESXi5.0,multiplelogleshavebeenadded.Thefollowingloglesare
mostcommonlyusedfortroubleshootingpurposes:
PATH + LOG FI LE DESCRI PTI ON
/var/log/vmkernel.log AlllogentriesaregeneratedbytheVMkernel.
/var/log/vmkwarning.log AsubsetoftheVMkernellogsthatincludeonly
warningsandsysalertsevents.
/var/log/hostd.log Hostmanagementservice(hostd=hostdaemon)log.
/var/log/sysboot.log Systembootlog.
/var/log/fdm.log VMwareHAlogle.
Table 3.SummaryofLogFiles
Properlogmanagementisimportantforbothtroubleshootingandcompliance.ESXiexposeslogsfromthehost
agent(hostd),vCenteragent(vpxa)andVMkernel(messages)byusingahostsyslogcapability.Userscan
conguresyslogtowritelogstoanyaccessibledatastoreviathefollowingsteps:
1. In the vSphere Client inventory, left-click the host.
2. Click the Conguration tab.
3. Click Advanced Settings under Software.
4. Select Syslog in the tree control.
5. In the Syslog.global.logDir text box, enter the datastore name and the path to the le where syslog will log
messages, using the format [storage1] /<host>/logs/. Ensure that the directory is created beforehand.
You can optionally include the protocol and the port; for example, ssl://hostname:514. UDP (default), TCP
and SSL are supported.
Bydefault,whenalocalbootdiskisused,theESXihostwillwriteloglestothehostsscratchpartition
(/scratch/log).ForUSB/SDorboot-from-SANinstallations,wherenolocaldatastoreisavailable,itis
recommendedtouseashared20GBVMwarevSphereVMFSvolumewithuniquedirectoriesforeachhost.
WhenusingasharedVMFSvolume,itsimportanttomonitorthediskspaceusageonthisvolumeusingthe
vCenter-providedalarmfunctionality.
NOTE: You might need to reboot the host for the changes to take efect. It is recommended to include the host
name in the name of the folder.
Userscanalsoconguresyslogtoforwardlogmessagestoaremotesyslogserverforenterprisecentral
logging.Usingaremotesyslogserverwillsimplifytroubleshootingandensurethatloglesarealways
accessible,evenwhenanESXihosthasphysicallyfailed.Usingacentralizedsyslogserveralsofacilitates
correlationbetweeneventsondiferenthosts.
VMwareoferstwoseparateremotesyslogsolutions.TherstsolutioniscalledtheESXiSyslogCollector,which
canbeinstalledonasupportedWindowsserverusingthevCenterServerinstallationmedia.Thesecond
solutionistousethesyslogcapabilitiesoftheVMwarevSphereManagementAssistant(vMA).Afteraremote
sysloghosthasbeensetup,conguringtheESXihosttoforwardthelogsisstraightforwardandcanbedone
viathefollowingsevensimplesteps:
1. In the vSphere Client inventory, left-click the host.
2. Click the Conguration tab.
3. Click Advanced Settings under Software.
4. Select Syslog in the tree control.
5. In the Syslog.global.LogHost text box, enter the name of the remote host where syslog data will be
forwarded. If no value is specied, no data is forwarded.
7. Click OK.
YoucancongureESXihostloggingduringinstallationwhendoingascriptedinstallation.Boththesyslog
advancedsettingandthelocaldatastorepathsettingcanbeconguredthroughtheuseofvim-cmd.The
followingcommandisanexampleofhowtosetthepathtoalocaldatastore:
vim-cmd hostsvc/advopt/update Syslog.global.LogDir string [storage1] var/log/messages
ItisalsopossibletoautomaticallycreateauniquedirectoryusingthenameoftheESXihostunderthespecied
Syslog.global.LogdirbyenablingSyslog.global.logDirUniquethroughtheadvancedsettinginthevSphere
Clientorthroughvim-cmdusingthefollowingcommand:
vim-cmd hostsvc/advopt/update Syslog.global.LogDirUnique bool true
Tocorrelatelogeventsbetweenhosts,itisveryimportanttokeepthedateandtimeofyourESXihostsinsync
withanaccuratetimesource.Thisisoftenrequiredforcompliance.Itisalsoimportantwhenusingthehostto
maintainaccuratetimeontheguestvirtualmachines.VMwarerecommendssynchronizingvirtualmachineswith
anNTPorw32tmserverasdescribedinVMwareknowledgebasearticle1006427andVMwareknowledgebase
article1318.ESXihasbuilt-incapabilitiesforsynchronizingwithNetworkTimeProtocol(NTP)timeservers,
whichcanbeconguredthroughthevSphereClientorthroughtheshell,asshownintheautomatedinstallation
scriptorthroughvSpherePowerCLIwiththeSet-VMHostNTPServercmdlet.
VM VM VM
Enterprise
Syslog
Collection
VMware
Management
Framework
Local Support Consoles
Datastore
VMkernel
Common
Information
Model
Virtual Machine
Support and
Resource
Management
Infrastructure
Agents (NTP,
Sylog, etc.)
Enterprise
NTP TIme
Server
Figure 10. LoggingInVMwareESXi
ESXiShell
ESXiShellisasimpleshellintendedforadvancedtroubleshootingundertheguidanceoftechnicalsupport.
Whenremotecommand-linetoolsarenotcapableofaddressingaparticularissue,theESXiShellprovidesan
alternative.SimilarlytohowtheCOSisusedtoexecutediagnosticcommandsandxcertainlow-levelproblems,
theESXiShellenablesuserstoviewlogandcongurationles,aswellastoruncertaincongurationandutility
commandstodiagnoseandxproblems.ESXiShellisnotbasedonLinux.Rather,itisalimited-capabilityshell
compiledespeciallyforESXi.
Inadditiontobeingavailableonthelocalconsoleofahost,theESXiShellcanbeaccessedremotelythrough
SSH.AccesstotheESXiShelliscontrolledinthefollowingways:
Both SSH and ESXi Shell can be enabled and disabled separately in both the DCUI and the vSphere Client or
throughvSpherePowerCLI.
Any authorized user, not just root users, can use ESXi Shell. Users become authorized when they are granted
theadministratorroleonahost(throughActiveDirectorymembershipinaprivilegedgroupandthroughother
methods).
All commands issued in ESXi Shell are logged through syslog, providing a full audit trail. If a syslog server is
congured,thisaudittrailisautomaticallyincludedintheremotelogging.
A timeout can be confgured for ESXi Shell (including SSH), so that after being enabled, it will automatically be
disabledaftertheconguredtime.ChangestotheSSHtimeoutwillapplyonlytonewsessions.Existing
sessionswillnotbetimedout,butanynewsessionispreventedafterthetimeoutperiod.
ESXiShellisrecommendedforuseprimarilyforsupport,troubleshootingandbreak-xsituations.Italsocanbe
usedaspartofascriptedinstallation,asdescribedinaprevioussection.AllotherusesofESXiShell,including
runningcustomscripts,arenotrecommendedinmostcases.Instead,usersshouldusethevSpherevCLIor
vSpherePowerCLI.
WhenESXiShellisenabled,thevSphereClientwilldisplayawarningsignontheESXihost,asdepictedinthe
followingscreenshot.Ifwanted,thiswarningcanbedisabledperhostbycompletingthefollowingprocedure:
Select the host.
Click the Congurationtab.
Click AdvancedSettings.
Go to UserVarsandscrolltothebottom.
Change the value of UserVars.SuppressShellWarningfrom0to1.
NOTE: This change impacts the warning for both local and remote (SSH) access to the ESXi Shell.
Figure 11. ESXiShellWarningWhenShellIsEnabled
LocalAccessandLockdownMode
ESXi5.0providestheabilitytofullycontrolalldirectaccesstothehostviavCenterServer.Afterahosthasbeen
joinedtovCenterServer,everydirectcommunicationinterfacewiththehostiscongurableasanindependent
serviceintheCongurationtabforthehostinthevSphereClient.Thisincludesthefollowinginterfaces:
DCUI
ESXi Shell
SSH
Eachofthesecanbeturnedonandofindividually.
Figure 12.LocalandRemoteAccessServices
AccessbasedonthevSphereAPIforexample,thevSphereClient,PowerCLI,vCLI,andsoonisnormally
governedbygrantinglocalprivilegestospecicusers.Therootuseristheonlyonethathasapermanent
administratorroleonthehost.Allotherusersmustbeexplicitlygrantedalocalroleonthehostinorderto
accessit.
Therearecasesinwhichyouwouldnotwantanyonetoaccessthehostdirectlyatall,insteadmanagingit
exclusivelythroughVMwarevCenterServer.LockdownModeisafeaturedesignedtoprovidethiscapability.
WhenLockdownModeisenabledonthehost,alldirectremoteaccesstothehostisblocked,including
Any vSphere API client
ESXi Shell
SSH
EvenifTechSupportModeisenabled,LockdownModeefectivelyoverridesthisbypreventinganyconnection
fromsucceeding.TheonlywaytomanagethehostremotelyisthroughvCenterServer.Theinteractionbetween
thehostandvCenterServeroccursthroughaspecial-purposeaccountcalledvpxuser;allotherordinaryuser
accounts,includingroot,cannolongerconnectremotely.
ForthespecialcaseofhardwaremonitoringthroughtheCIMinterface,monitoringsoftwaremustobtainthis
hardwareinformationdirectlyfromthehost.Todothis,themonitoringsoftwaremustbeprogrammedtoobtain
aspecialauthenticationticketfromvCenterServer.Thisticketallowsthesoftwaretoobtaintheinformationfrom
thehostthroughthevCenterServervpxuseraccountonaone-timebasis.
WithLockdownModeenabled,theonlydirectaccesstothehostthatremainsopenisthroughtheDCUI.This
providesawaytoperformlimitedadministrativetasksoutsideofvCenterServer.TheDCUIcanalsoturnof
LockdownMode,disablingitwithoutgoingthroughvCenterServer.ThismightbeusefulifvCenterServeris
downorotherwiseunavailableanduserswanttoreverttodirectmanagementofthehost.TologintotheDCUI
inLockdownMode,however,therootpasswordisrequired.Nootherusercanlogin,eveniftheyhavebeen
grantedanadministratorrole.
Intheextremecase,usersmightwanttodisablealldirectaccesstothehost.Forexample,theymightwantto
preventanyonewiththerootpasswordfromdisablingLockdownModeandmanagingthehost.Inthiscase,
theycantaketheadditionalstepofdisablingtheDCUIforthehost,throughvCenterServer.Afterthisisdone,
nodirectinteractionwiththehost,localorremote,ispossible.ItcanbemanagedonlythroughvCenterServer.If
vCenterServerisdownorotherwiseunavailable,userscannotreverttodirectmanagement,becauseloggingin
totheDCUIisnolongerpossible.IfthevCenterServercannotberestored,theonlywaytoreverttodirect
managementistoreinstalltheESXisoftwareonthehost.
LockdownModeisnotpermanent.ItcanbedisabledforanyindividualESXihostatanytime(providedthat
vCenterServerisrunningandabletoconnecttothathost).TherecommendationisthatLockdownModebe
usedinordinary,day-to-dayoperationsbutthatitbedisabledforahostiftheneedarisestointeractwithit
directly.Forexample,ifatroubleshootingsituationisencounteredandthetoolsprovidedbyvCenterServerare
notsufcient,LockdownModeshouldbedisabledandmoreextensivediagnosticsshouldbeperformed,using
TechSupportMode,forexample.
Table4presentsasummaryofLockdownModeanditsinteractionwiththevarioushostaccessservices.
ACCESS MODE NORMAL LOCKDOWN LOCKDOWN +
DCUI DI SABLED
vSphereAPI
(e.g.,thevSphere
Client,vSphere
PowerCLI,vSphere
vCLI,andsoon)
Anyuser,basedon
localroles/privileges
None(exceptvCenter
vpxuser)
None(exceptvCenter
vpxuser)
CIM Anyuser,basedon
localroles/privileges
None(exceptvia
vCenterticket)
None(exceptvia
vCenterticket)
DCUI Rootanduserswith
administrator
privileges
Rootonly None
ESXiShell Rootanduserswith
administrator
privileges
None None
SSH Rootanduserswith
administrator
privileges
None None
Table 4.SummaryofLockdownModeEfectonLocalAccess
ESXiFirewall
AlthoughESXihasoferedsecurityenhancementsinLockdownMode,ESXi5.0introducesarewallaswell.
SimilartotheESXrewall,theESXirewallcanbemanagedfromthehostandclusterviewofthevSphere
Client.AfterselectingthehostandchoosingtheCongurationtab,theVIadministratorcancheckdiferent
servicesandrewallsettingsunderSecurityProle.
Thefollowingscreenshotshowsthesecurityproleofahost,withdetailsonavailableservicesandrewallrules.
Administratorscanstartorstopanyoftheseservicesandalsoprovideaccesstotheseservicesthroughthe
rewallparameters.
Figure 13.ESXiFirewallProperties
ESXiFirewallCLI
Forrewallcongurationcommands,aseparaterewallnamespaceisprovided.Theesxclicommandcanbe
usedtolistallrewallrules.Thelistcommand(esxclinetworkrewallrulesetlist)canbeusedtocollectthe
informationaboutthecurrentrewallsettings.Thesetcommand(esxclinetworkrewallrulesetset)enables
userstocongurerewallrules.Administratorscanusethissimpleandintuitivecommandinterfaceoptionto
managerewallrules.
esxcli network rewall
get
set
refresh
load
unload
list
set
ruleset
allowedip
add
list
remove
rule
list
Figure 14.esxcliFirewallCommandStructure
vSpherePowerCLIcanalsobeusedtoviewandcongurerewallrulesetsusingthefollowingcmdlets:
Get-VMHostFirewallDefaultPolicy
Get-VMHostFirewallException
Set-VMHostFirewallDefaultPolicy
Set-VMHostFirewallException
DiagnosticsandTroubleshooting
WithESXi5.0,thereareavarietyofoptionsfordiagnosingproblemswiththeservercongurationoroperation,
aswellasforxingthem.Diferentmethodswillbeappropriatedependinguponthesituation.Therearealso
VMwareknowledgebasearticleswithinstructionsonvariousissues.
TheDCUIisthemenu-driveninterfaceavailableattheconsoleofthephysicalserveronwhichESXiisinstalledor
embedded.Itsmainpurposeistoperformtheinitialcongurationofthehost(IPaddress,hostname,root
password)anddiagnostics.
TheDCUIhasseveraldiagnosticmenuitems:
Restartallmanagementagents,including
hostd
vpxa
Resetcongurationsettings,forexample,
Fix a misconfgured switch
Reset all confgurations to factory defaults
EnableESXiShell,including
ssh
UserscanalsopointanordinaryWebbrowsertothehostandviewles,including
Log fles
Confguration fles
Virtual machine fles
Asanexample,wewilldemonstratehowtoviewtheloglesofanygivenvirtualmachine.Auserwithan
administratorrolemustprovidecredentialstousethisfeature.Theprocedureisasfollows:
1. Open a browser and enter the URL http://<vCenter hostname>, where <vCenter hostname> is the IP
or fully qualied domain name for the vCenter Server.
2. Click the Browse datastores in the VMware vCenter inventory link.
3. Provide administrative credentials when prompted.
4. Navigate the Web pages until you reach the appropriate datacenter, datastore and folder, as noted
in step 1.
5. Click the link to the appropriate log le, and open it with your preferred editor.
Inadditiontothenewesxclicommand,anewlocalclicommandhasbeenaddedinvSphere5.0.Thelocalcli
commandislargelyequivalenttotheesxclicommand,withanotedexceptionthatitbypassesthelocal
hostdprocessontheserver.ThelocalclicommandisintendedforsituationswheretheESXihostshostd
daemonbecomesunresponsive.Itisrecommendedthatyoudonotusethelocalclicommandoutsideofthe
directionofVMwareGlobalSupportServicesbecauseitcanresultinhostinstability.
Othercommandsthathaveproventobeveryvaluableovertimeinclude
vscsiStats, which provides detailed information on SCSI performance
nc, which is based on the standard netcat utility
tcpdump-uw, which is based on the standard tcpdump utility
Somecommandsthatareusedintroubleshootingscenariosarelistedhereforyourconvenience.Thisisnota
comprehensivelist.Rather,thefollowingarejustafewofthecapabilitiesthattheESXiShellofers:
vmkping -s 9000 <ipaddress>
Thecommandvmkpingcanbeusedtodobasicnetworktroubleshooting,butitismoreoftenusedtovalidate
theoperationofjumboframesbyaddingthesizeofthepacket,asshowninourexample.
fdisk l
Thislistsalldiskpartitionsandincludesthetypeofthepartition,whereVMFSpartitionsarelabeledasfb.
vim-cmd hostsvc/maintenance_mode_enter
MaintenanceModecanbeenteredfromthecommandlinebyusingvim-cmd.
vim-cmd hostsvc/maintenance_mode_exit
MaintenanceModecanbeexitedusingthiscommand.
esxcli vm process list
esxcli vm process kill world-id=<world-id> --type=<soft, hard, force>
Therstcommandprovidesalistofallthevirtualmachinescurrentlyregisteredonthehost.Thesecond
commandenablesyoutopowerofavirtualmachine.
ThesecommandsarejustexamplesofwhatispossiblewiththeESXiShell.Werecommendthatyouavoid
enablingaccesstotheESXiShellunlessabsolutelyneededandthatyoudisableaccesswhenitisnolonger
needed.Ingeneral,troubleshootingworkowsaresimilartothosewithVMwareESX,duetothefeaturesetof
ESXiShell.
OnethingthathaschangedintermsofdiagnosingproblemsinvSphere5.0isthewaycoredumpscanbe
collected.Acoredumpcanbeusedtodeterminethereasonforsystemfailure.WithESX,thecoredumpoften
wasplacedonthelocaldisk,whichinthecaseofatotalfailurefrequentlymadeitimpossibletodoarootcause
analysis.WithESXi,therearethefollowingtwooptionsformanagingcoredumps:
Create a diagnostic partition on SAN storage. Each host must have a diagnostic partition of 100MB. If multiple
hostsshareaSAN,congureadiagnosticpartitionwith100MBforeachhost.
Install and confgure ESXi Dump Collector. New in ESXi, the Dump Collector service enables you to send core
dumpstoanetworkserver.ItisespeciallyusefulfordeterminingreasonsforfailureofESXihostsprovisioned
withAutoDeploy.
Youcanuseesxclisystemcoredumptocongurearemoteorlocalcoredumppartition.Youcanalsousethe
networkcongurationhostproletosetuphoststouseESXiDumpCollector.Ineithercase,youcanapplyto
otherhoststhehostproleofahostthatusesESXiDumpCollector.
Figure 15.ListingtheCoredumpPartition
Summary
Thefollowingtableprovidesasummaryofthetaskstraditionallyperformedintheserviceconsoleof
VMwareESXandthefunctionalequivalentsforVMwareESXi.
TASK VMWARE ESX VMWARE ESXi
Accesslocalles:VMFS
les,congurationles,
logles
Consolecommandstobrowse
datastoresandvirtualmachineles
Remotecommand-lineinterface
commandstolistandretrievesles
vSphereclientdatastorebrowserfor
VMFSlesdownloadsanduploads
les
Manipulatevirtual
machineles(for
example,modify.vmx)
Advancedcongurationdoneinthe
vSphereclient
Consolecommandstomodifyvirtual
machineles
Advancedcongurationdonein
vSphereClient
commandstolistandretrieves
virtualmachineles
Backup Virtualmachinebackup:agentsin
serviceconsole,VMwareData
Recoveryorthird-partybackup
products
VMwareESXbackup:usesagentsin
theserviceconsole,createsarchive
ofserviceconsolelesorperformsa
scriptedreinstall
Virtualmachinebackup:VMware
DataRecoveryorthird-partybackup
products
ESXibackup:singlesmallbackuple
createdviavSpherevCLIcommand
vicfg-cfgbackuporvSphere
PowerCLIcmdletGet-
VMHostFirmware
Hardwaremonitoring Agents in service console
SNMP
CIM-based framework
SNMP
Patchingandupdating Update Manager
RPM-based third-party tools
Update Manager
vCLI command vihostupdate
Automated
deployment
RedHatKickstart ESXiscriptedinstallation(analogous
toRedHatKickstart)
Troubleshootingor
support
esxcli
esxcfg-* commands
commands
ESXi Shell
Advanced
conguration
Editscongurationles(forexample,
hostd.conf)directly
commandstolistandretrieve
VMwareESXicongurationles
EditslesinTechSupportMode
directly
Logging Remotesysloginserviceconsole Built-inremotesyslogclient
Performance
monitoring
vSphereclient
esxtopinserviceconsole
vSphere Client
vSphere vCLI command resxtop
esxtop in Tech Support Mode
vSpherePowerCLIcmdlet
Get-EsxTop
Reportingandauditing Service console scripts
Log fles
commandstolistandretrievelog
les,congurationandsettings
vSphereClientoptiontoexport
diagnosticdata
Table 5.ComparisonofManagementCapabilitiesinVMwareESXandVMwareESXi
VMware ESXi Editions
VMwareESXiarchitectureisoferedasapartofallvSphereproducteditions,witheachsuccessiveedition
oferinggreaterfunctionality.Attheentrylevel,VMwareofersthevSphereHypervisor,whichisafree
virtualizationproduct.CertainESXifeaturesarelimitedinthisedition,asoutlinedinTable6.Allotherpaid
editionsofvSphereliftthesefeaturerestrictions.However,eventhoughthehost-levelfeaturesarenotlimitedin
allpaideditions,manyadvancedfeatures,suchasVMwareDRSandVMwareHA,arestillavailableonlyin
higher-licenseversions.
FEATURE vSPHERE HYPERVI SOR VMWARE ESXi ENTERPRI SE
SNMPmonitoring Notsupported Fullfunctionality
VMwareConsolidatedBackup
(VCB)andVMwareData
Recovery(vDR)tool
Notavailable Bothapplicationsareavailable
vSpherevCLI Limitedtoread-onlyaccess Fullfunctionality
vSpherePowerCLIand
VMwarevSphereSDKforPerl
Limitedtoread-onlyaccess Fullfunctionality
Table 6.ComparisonofVMwareESXiEditions
AnadministratorwhohasdeployedvSphereHypervisorcanenjoythebenetsofvirtualizationwith
VMwareESXiwithinthefeaturelimits.However,thedeploymentcanbeupgradedtoamorefullyfeatured
versionofvSphereatanytimewithouthavingtouninstallorreinstalltheESXisoftware.Theadditional
capabilitiesareactivatedsimplywhentheproperlicensekeyisprovided,eitherinthehostconguration
orinVMwarevCenterServer.
References
VMware ESXi Conguration Guide
http://www.vmware.com/pdf/vsphere4/r41/vsp_41_esxi_server_confg.pdf
VMware ESXi Installable and vCenter Server Setup Guide
http://www.vmware.com/pdf/vsphere4/r41/vsp_41_esxi_i_vc_setup_guide.pdf
VMware vSphere Command-Line Interface Installation and Scripting Guide
http://www.vmware.com/support/developer/vcli/
VMware vSphere Command-Line Interface Reference
http://www.vmware.com/support/developer/vcli/
VMware ESXi Upgrade Center
http://www.vmware.com/go/UpgradeToESXi
VMware ESXi Chronicles Blog
http://blogs.vmware.com/esxi/
VMware, Inc.3401HillviewAvenuePaloAltoCA94304USATel877-486-9273Fax650-427-5001www.vmware.com
Copyright2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedat
http://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc.intheUnitedStatesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybe
trademarksoftheirrespectivecompanies.ItemNo:VMW-WP-ESXi-OPERGUIDE-USLET-102-WEB

VSphere 5 ESXi Operations Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VSphere 5 ESXi Operations Guide

Uploaded by

Copyright:

Available Formats

VMware ESXi

You might also like