You can't plunge into installing VMware Server on Linux without introducing yourself to VMware Server services and executables. They're your tools for establishing and managing security, networking, administration and other functions, as well as preparing hosts for virtual machines (VMs). Once you're acquainted with them, you'll need to get started with networking and RAID.
So, hop on board for this quick tour of these essential tools and processes. Let's start with the services, move into executables and finish up with networking and RAID.
VMware Server services
Here's the lowdown on key services:
- VMware Authorization Service
The VMware Authorization Service is what listens for incoming
connections from local and remote VMware Server Console applications.
It listens on port 902 for these incoming connections. The service
also, obviously, authenticates users. This service's binary is located
at "/usr/sbin/vmware-authd".
- VMware NAT Service
The VMware NAT Service is what allows VMs on the NATd networks to
communicate with the public internet. This service's binary is located
at "/usr/bin/vmnet-dhcpd".
- VMware DHCP Service
The VMware DHCP Service serves IP addresses to VMs on the server that
are NATd or on private networks. This service's binary is located at
"/usr/bin/vmnet-natd".
- VMware Registration Service
The VMware Registration Service is used to stop and start VMs and
manages their connections. This server's binary is located at
"/usr/sbin/vmware-serverd".
Executables
Executables are the action heroes inside VMware Server, and here are the key characters:
- /USR/BIN/VMWARE-CMD
This application can be used to control VMware Server and the VMs from
the command line. To learn more about this command simply type the
following at a shell, "vmware-cmd". More information on this command
can also be found at VMware's Website.
- I/USR/LIB/VMWARE/BIN/VMWARE-VMX
This binary is the process that hosts the actual VMs. The security
context in which this command is run is very important and will be
discussed later.
- Management User Interface (MUI)
Now deprecated in VMware VI3, the MUI is a way to interact with the
VMware Server via a web browser. It is accessible via HTTP at http://HOSTNAME:8222/
and HTTPS at https://HOSTNAME:8333/
. SSL is
enforced by default.
Physical host servers
At the bottom of the stack is the physical host server. One step above
bare-metal is the host operating system, in this case Ubuntu 6.10 (Edgy
Eft) Server.
VMware Server is made up of three primary components that are installed
on top of the host operating system (OS). They are the registration service, the
authorization service and the MUI. The
registration service starts and stops VMs and controls client connections
to the VMs. The authorization service authenticates incoming
connections from the MUI and the VMware Server Console. The MUI lets
users administer the VMs via a Web interface.
Networking
Before beginning, please unplug the server's Ethernet cables from their
network ports. Most servers get hacked because they are installed in an
unsecure state. Secure the server off the network and then restore its
network connectivity at a later time.
Please note that this step is standard for me because I find myself
installing Windows servers more often than Linux servers. I am fully
aware that Ubuntu Linux installs with a sum total of zero ports open and
is very secure. However, unplugging the server from the network while
installing the server certainly will not hurt anything. If you want to
leave the server plugged in, then I will not try and stop you. Be aware,
though, that at a later step SSH will be turned on, and the only measure
initially preventing anyone from logging into your server will be you
having chosen a secure passphrase for your account.
If the server only has one network port, it would be very helpful to the
server security to install a PCI Ethernet card to provide an additional
network port. This will allow for a private management network
interface and a public network interface for the virtual machines.
Many of the steps to facilitate a private management network interface
discussed later in this document under the SSH and VMware
sections. Out of all available
NICs on the server, patch one of those NIC's Ethernet cables into a
private network. The network does not need to have access to the
public internet -- its sole purpose is to provide the server
administrator with access to the server. If, for some reason, this cannot
be accomplished, don't worry. It is still possible to create a private
management network interface using the tools that Linux provides. A
true, physical, private network is just a very nice added layer of security.
RAID
An oft overlooked part of configuring an application is its disk I/O
requirements. More times than not, slow disk access is the culprit when
it comes to errors with VMs rather than the usual suspects of CPU and
memory. One way to ensure the best possible disk I/O (input/output) is to properly
configure the server's RAID containers. The RAID configuration should
be determined by the number of disks available to the server. Here is a
handy list that you can use:
- 2 disks - 1 container, RAID-1 (mirror)
- 3 disks - 1 container, RAID-1 with hotspare
- 4 disks - 1 container, RAID-10
- 5 disks - 1 container, RAID-10 OR 2 containers, RAID-1 (system),
RAID-1 with hotspare (data)
RAID-5 was not used because, although it is popular, there is a
performance penalty for computing parity on every write. While everyone
has their own RAID configuration preferences, the attempt was made to
present a few configurations that will provide the best possible disk
access times without sacrificing redundancy. The labels "system" and
"data" indicate in which container the OS should be installed and the
data (in this case, the VMs) should be stored, respectively.
Now you're ready for the next step: Installing Linux. This is the fun part!
About the author: Andrew Kutz is deeply embedded in the dark, dangerous world of virtualization. Andrew is an avid fan of .NET, open source, Terminal Services, coding and comics. He is a Microsoft Certified Solutions Developer (MCSD) and a SANS/GIAC Certified Windows Security Administrator (GCWN). Andrew graduated from the University of Texas at Austin with a BA in Ancient History and Classical Civilization and currently lives in Austin, TX with his wife Mandy and their two puppies, Lucy and CJ.
