Trust your ESXi hypervisor!

When it comes to security there is always the concerns about the security of the ESXi hypervisor. Its always the hypervisor that is nominated as the layer that can’t be trusted within the IT infrastructure. The whitepaper by Mike Foley  tries to give you more insight on how the VMware ESXi hypervisor from a security perspective and what things to look at when securing the hypervisor.

The topics covered in the white paper are:

  • Secure Virtual Machine Isolation in Virtualization
  • Network Isolation
  • Virtualized Storage
  • Secure Management
  • Platform Integrity Protection
  • VMware’s Secure Development Lifecycle

The document can be downloaded here.

vCenter XVP Manager and Converter

The battle for the hypervisor continues. VMware still is ahead of it’s competitors, but Microsoft and Citrix are gaining market share in the hypervisor area. From the start these vendors have had tools to convert virtual machines from VMware ESX / ESXi to one of the hypervisors by the competitors and to manage VMware ESX machines.

VMware has it’s own VMware Labs. Here flings are presented to the public for beta testing. These are applications that you can download and tested within your own environment. Flings are applications that may one day be incorporated into vSphere. Till that time flings are not supported by VMware. So use at you own risk within your environment.

VMware now also created a tool to manage third-party hypervisors and convert VMs from a third-party competitive hypervisor platform to VMware ESX / ESXi :

VMware XVP Manager and Converter

VMware vCenter XVP Manager and Converter provides basic virtualization management capabilities for non-vSphere hypervisor platforms towards enabling centralized visibility and control across heterogeneous virtual infrastructures. It also simplifies and enables easy migrations of virtual machines from non-vSphere virtualization platforms to VMware vSphere.

Features

Management of the following Microsoft Hyper-V platforms:

  • Microsoft Hyper-V Server 2008
  • Microsoft Windows Server 2008 (64-bit) with Hyper-V role enabled
  • Microsoft Hyper-V Server 2008 R2
  • Microsoft Windows Server 2008 R2 with Hyper-V role enabled

Familiar vCenter Server graphical user interface for navigating through and managing non-vSphere inventory

Ease of virtual machine migrations from non-vSphere hosts to vSphere inventory

Compatible with VMware vCenter Server 4.0 & 4.1

Scalable up to management of 50 non-vSphere hosts

You can get your own copy at http://labs.vmware.com/flings/xvp

 

Guest VM Operations inside Hyper-V

 

To ESXi or not to ESXi? That's the question…

ESXi is the small footprint hypervisor created by VMware. It can be implemented on bare-metal servers and is used to host virtual machines. It can be managed by vCenter and is supported by all other VMware product.

So as far as the above few lines state, it is the same as VMware’s “thick” hypervisor : ESX. And there are even some advantages which the “thin” ESXi has over ESX, being :

  • It’s “thin”; As I already stated above, ESXi is a small footprint installation. 32 Mb(!!!) agains approx. 2~3 Gb.
  • Quick install; Boot,accept license, choose disk, install, run. A simple installation method to install it on your server. You can even use a USB drive to boot from.
  • Easy update; Updating ESXi can be compared to flashing a BIOS. Because it’s such a small footprint, just download the newest version and replace the current one. Fast and easy.
  • Simple configuration menu; ESXi comes with a simple configuration menu (again BIOS like) which provides you with all the options you can configure in ESXi. No more service console!
  • More secure; ESXi having such a small footprint (less patches!) and having no external communication interface (CLI for example) except for VC / RCLI makes it more secure then ESX.

Ok, so why don’t we all switch to this small and practicle hypervisor? Well there are some disadvantages which can withhold you from implementing ESXi in a IT production environment, being :

  • Service console is gone; For people already working with the fat ESX : No more service console. Which can be a disadvantage if your IT department frequently uses the command line.
  • No central unattended distribution method; You can’t install ESXi unattended. Which is something you want if you have a large VI. Currently there are no unattended distribution methods as far as I know.
  • Can’t install local agents; There is no service console anymore. So you can’t use local agents on your ESXi host. Everything needs to be able to communicate with the VI API or any other remote connect method to gather information.

Conclusion : ESXi is very suitable for corporate production environment. ESXi has the same functional specs as ESX; you can host virtual machines on it and it can be managed using vCenter. However ESXi has advantages and disadvanstages over ESX. Every environment needs to be evaluated if ESXi is suited for it. If currently you are still dependent on something ESXi can’t provide, for example agent in service console, then continue using ESX.

But switching to ESXi is the future! So if you decide not to  switch now, prepare yourself for the future. Start using ESXi in your test environment, gain experience. Communicate current flaws to VMware and your third party tooling / hardware vendors. They can make this product better with your input!

For more information look at following links. There is a lot of information about ESXi. Read it and make your decision.

VMware whitepaper The Architecture of VMware ESXi

VMware whitepaper Managing VMware ESXi

Presentation by Amir Sharif (VMware) Managing ESXi in the datacenter (Need VMworld login account)

David Sumsky : Differences between ESX and ESXi

David Sumsky : Technical differences between ESX and ESXi

KB 1006543 : ESX and ESXi comparison

KB 1003345 : Differences in supported networking features between ESX server 3.5 and ESX server 3i

Update: When using ESXi you can install agents in VMware’s VIMA. Which also can be used to run the esxcfg commands (Thanx for the additional info goes to Duncan Epping)