Thursday, June 4, 2009

VMware Server - management over ssh

Both VMware Server versions, 1.0.x and 2.0.x, can be managed over ssh. Advantage of this is the simplicity of firewall rules which only have to allow ssh to enable VMware management - over ssh. Running VMware management over ssh is even more useful with VMware Server 2.0.x, which uses two TCP ports.

VMware Server 1.0.x
ssh -4 -v -L 1902:
[messages resulting from -v option removed]
debug1: Local connections to LOCALHOST:1902 forwarded to remote address
debug1: Local forwarding listening on port 1902.

ssh -v shows that all connections to local loopback address and TCP port 1902 are forwarded over ssh to the server's loopback address and port 902.

The reason I am using port 1902 at the local end is that in order to use port 902 ssh must run as root.

Connecting to the server with WMware Server Console is done by choosing "Remote host" and entering as "Host name".

VMware Server 2.0.x
ssh -L 1902:localhost:1902 -L 8333:localhost:8333

The difference with 1.0.x is that:
  • Two ports are forwarded now: also port 8333 is forwarded to the remote server
  • Local port 1902 as now forwarded to remote port 1902, not to port 902
Remote port 1902 is not the default port on the server. The default port was changed with command from 902 to 1902. The port belongs to VMware authd process.

VMware Server 2.0.x uses two ports for management:
  1. Port 8333 is used with web browser for initially contacting the server over https
  2. The number of second port is learned from connection 1, which in this case is 1902
The reason for configuring the authd port as 1902 is ssh. Now when the ssh command is run, there is no need to run it as root, since it does not have to bind to privileged port 902 but port 1902 instead.

If the server has already been configured to use port 902 and reconfiguring is not an easy option, the ssh command can be run e.g., with sudo as root with port set to 902.

In both cases, once the two ports (8333 and 1902 or 902) have been forwarded with ssh, the server can be contacted with the web browser using

Tricky, isn't it?

No comments: