Tip

How to install, secure, monitor and backup VMware on Linux

The last section taught you how to configure and secure Linux for VMware Server. The VMware Server installation process itself is extremely straightforward. This section will provide instructions

    Requires Free Membership to View

on how to secure VMware Server, how to fix a nagging bug that crops up with installing it on Ubuntu and how to monitor and back up the server.

Downloading
The first step to installing VMware Server is obtaining the software. Download the latest version of VMware Server for Linux, as well as the Management User Interface from a secure computer. If you have brought the server online, you can transfer these files to the server with scp or sftp or you can burn them to a CD-ROM or put them on a Flash drive with a physical read-only switch.

In the following examples, I have used VMware Server version 1.0.1-29996, but by the time you read this article, VMware may have released a new version of VMware Server and your mileage may vary when it comes to the file names.

Once both tarballs are on the server, move them to /usr/local/src. Then, deflate the tarballs by typing:

sudo tar xzf VMware-server-1.0.1-29996.tar.gz
sudo tar xzf VMware-mui-1.0.1-29996.tar.gz

After the files are deflated, you will be left with two directories:

vmware-server-distrib
vmware-mui-distrib

Go ahead and rename the directories so that they each have a suffix of - -1.0.1-29996 (or whatever your version is) and the directories look like:

vmware-server-distrib-1.0.1-29996
vmware-mui-distrib-1.0.1-29996

We renamed the directories so that several months from now, when you download the latest release of VMware Server and upload the tarballs to your server and deflate them, the deflated directories do not overwrite the previous ones.

Installation
It is now time to begin the VMware Server installation. Change directories into what should now be:

/usr/local/src/vmware-server-distrib-1.0.1-29996

Quickly list the files with:

ls –l

…and you will see the installer. It is called "vmware-install.pl". To begin the installation, type:

sudo ./vmware-install.pl

For several steps, you can accept the installer's default values by simply pressing "Enter" when prompted. Eventually the installer will inform you that before running VMware Server for the first time you need to configure it. The screen will look like this:

Pay attention to the command the installer is calling, "/usr/bin/vmware-config.pl". You will have to re-run this command whenever you do any major Kernel updates on this server, because this is the command that builds the VMware Server kernel modules. So remember, if you are going to update your Kernel, be prepared to re-run "/usr/bin/vmware-config.pl".

Press "Enter" to continue. At this point, if you did not install the packages grouped as various in the Components section above, you will get a warning similar to this:

The correct version of one or more libraries needed to run VMware Server
may be missing. This is the output of ldd /usr/bin/vmware:
    linux-gate.so.1 => (0xffffe000)
    libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7ed1000)
    libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7ecd000)
    libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7eb9000)
    libX11.so.6 => not found
    libXtst.so.6 => not found
    libXext.so.6 => not found
    libXt.so.6 => not found
    libICE.so.6 => not found
    libSM.so.6 => not found
    libXrender.so.1 => not found
    libz.so.1 => /usr/lib/libz.so.1 (0xb7ea4000)
    libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7d70000)
    /lib/ld-linux.so.2 (0xb7efc000)

We will assume you installed all the packages I asked you to and you did not get this warning. Display the license agreement and wake me up when you're finished "reading" it. Continue accepting the installer's default values until the installer instructs you that none of the pre-built modules for VMware Server are suitable for your running kernel:

If you have installed all the packages that I asked you to, you can go ahead and press "Enter" and then confirm the location of your kernel headers by pressing "Enter" again and watch the VMware Server installer build its kernel modules.

After the install is finished building the kernel modules, it will ask if you want to configure networking for your VMs. Accept the default of "yes" by pressing "Enter". If the server has multiple NICs, then the installer will ask which one you want to bridge to "vmnet0", the first VM network interface:

Remember when we configured the NICs and designated one of them as the server's management interface NIC and the rest as the VM NICs? This is where it matters. Go ahead and type the name of one of the NICs you designated as a VM NIC. (For example, I typed "eth0"._ Press "Enter" to confirm this choice.

The installer will ask if you wish to configure another bridged network. If you have any remaining NICs you have dedicated to VMs on the server, you may want to repeat this process and create bridged networks for each VM NIC. Once you are through creating bridged networks, continue with the installation.

The installer will ask if you want to use NAT networking in your VMs. Press "Enter" to accept the default choice of yes. The installer will then ask if you wish to probe for an unused private subnet. Press "Enter" to accept the default choice of yes. You will receive an error:

The installer cannot probe the network because of the iptables ruleset we configured earlier. This is okay. The installer will ask you to enter an IP address of a host on the private network. Enter "192.168.0.2" and press "Enter".

Next the installer will ask you for the netmask of the private network. Enter "255.255.255.0" and press "Enter". The installer will create a NATd network with the information you just entered. The network that it will create will be a /24 network capable of having 254 hosts on it. This should be plenty.

Next the installer will ask if you would like to configure host-only networking for the VMs. Press "Enter" to accept the default choice of yes. The installer will once again ask if you wish to probe for an unused private subnet. This time type "no" and press "Enter". Once again, enter an IP address (use "192.168.1.2") and press "Enter". Use the same netmask as before, "255.255.255.0", and press "Enter". The installer will create a host only network capable of having 254 hosts on it.

The installer will now ask which port you would like to use to accept incoming VMware Server Console connections on. The default port of 902 is fine; press "Enter" to continue.

Notice that the installer stops and starts the xinetd daemon. This is because VMware Server uses xinetd to host the VMware Server authentication daemon, and because xinetd uses tcp wrappers, it means that the server's hosts.deny and hosts.allow files will control who can connect to this VMware Server remotely using the VMware Server Console application.

Although no prompt will appear, please note that the installer says it is "Generating SSL Server Certificates". We will be dealing with those later.

The installer will now ask which directory you want to keep your VMs in. We do not want to use the default value because not only does it have a space in it, it also has capital letters! This is Linux, for Pete's sake!

Change the value to "/var/lib/vmware/vms" and press "Enter" to continue.

Finally, the installer will ask for your VMware Server serial number. To obtain the free serial number for VMware Server, visit www.vmware.com/download/server, and click on the "Register Now" button. Once obtained, enter the serial number and press "Enter" to continue.

Congratulations; VMware Server is now up and running on the server. Now it is time to configure and secure it.

Configuration
Unlike VMware Server for Windows, most of the configuration for VMware Server for Linux is actually handled by the installer. There is, however, one thing we need to do.

vmware-authd
As I mentioned earlier, the VMware auth daemon is hosted by the xinetd service. We need to edit the VMware auth daemon's configuration so that it only listens for incoming connections on the management interface NIC. We do this by editing the following file:

sudo vi /etc/xinetd.d/vmware-authd

The file should look like this:

# default: on
# description: The VMware remote access authentication daemon
service vmware-authd
{
  disable     = no
  port      = 902
  socket_type   = stream
  protocol    = tcp
  wait      = no
  user      = root
  server     = /usr/sbin/vmware-authd
  type      = unlisted
}

We want to add a line just above the line that begins with port so that, when we are through, the file looks like this:

# default: on
# description: The VMware remote access identification's daemon
service vmware-authd
{
  disable     = no
  bind      = MGMT_NIC_IP
  port      = 902
  socket_type   = stream
  protocol    = tcp
  wait      = no
  user      = root
  server     = /usr/sbin/vmware-authd
  type      = unlisted
}

Replace MGMT_NIC_IP with the IP address of the management interface. Save the file and exit. Restart the xinetd process with the following command:

sudo /etc/init.d/xinetd restart

Now the VMware auth daemon will only be listening for incoming connections on the dedicated management interface.

/lib/security/pam_unix2.so
We have to make a quick symlink to keep errors from occurring later on when the VMware Server Console authenticates to the vmware-authd daemon. Simply execute this command:

sudo ln -s /lib/security/pam_unix.so /lib/security/pam_unix2.so

If you do not do this, you will see an error in the /var/log/auth.log file:

Jan 19 04:15:48 vms02 vmware-authd[18898]: PAM unable to
dlopen(/lib/security/pam_unix2.so)
Jan 19 04:15:48 vms02 vmware-authd[18898]: PAM [dlerror:
/lib/security/pam_unix2.so: cannot open sha
red object file: No such file or directory]
Jan 19 04:15:48 vms02 vmware-authd[18898]: PAM adding faulty module:
/lib/security/pam_unix2.so

After you create the symlink, you will no longer see the error.

Monitoring
It is possible to monitor VMware Server with several methods. The easiest way to see how things are working is to access the VMware Server MUI at https://HOSTNAME:8333/. The MUI will display the usage statistics of the running VMs on the server.

Another way to monitor VMware Server is with VirtualCenter 1.x and 2.0.1. VirtualCenter 1.x and 2.0.1 can manage VMware Server hosts, as well as provide limited statistics about them.

Backing up
VMware Server does not have the same hot-backup capabilities that ESX does, so it is necessary to suspend a VM before backing it up. Page 95 of the VMware Server Admin Manual has very concise instructions for backing up VMs on the host and configuring backup agents inside the VMs themselves. It is pointless to repeat VMware's own instructions verbatim, so this section defers to the official guide.

Now it's time to move on to the next section: How to obtain the management user interface, how to install it, how to secure and configure it and how to log in.

About the author: Andrew Kutz is deeply embedded in the dark, dangerous world of virtualization. Andrew is an avid fan of .NET, open source, Terminal Services, coding and comics. He is a Microsoft Certified Solutions Developer (MCSD) and a SANS/GIAC Certified Windows Security Administrator (GCWN). Andrew graduated from the University of Texas at Austin with a BA in Ancient History and Classical Civilization and currently lives in Austin, TX with his wife Mandy and their two puppies, Lucy and CJ.

This was first published in February 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.