Funtoo:User Services/VMware Overview
Funtoo Linux is starting to use some VMware products for internal services. This page is here to document various general things related to VMware products.
ESXi vs vSphere vs vCenter
You have probably heard of VMware ESXi -- the free (as in beer) version of VMware's hypervisor. VMware has started to transition to a new name which is VMware vSphere Hypervisor. Sometimes you may see this listed as "VMware vSphere Hypervisor (ESXi)".
VMware's product naming can be confusing, so this change is probably a good thing. You may have also heard of something called "vCenter". Let's look at how ESXi, vSphere and vCenter relate to each other. Think of "vSphere" as an umbrella, which contains the following components:
- Hypervisor (aka ESXi, free license available)
- vCenter (Commercial, more powerful WebUI, and requirement for higher-end VMware functionality)
VMware vSphere Hypervisor (aka ESXi) provides its own web user interface, which has basic functionality for managing virtual machines on that particular host. In contrast, vCenter provides a more feature-rich web user interface. The catch is that vCenter requires a paid license, whereas the ESXi web interface can be used with a 'free' license. vCenter provides many conveniences for managing a virtual environment, and also serves as a building block for VMware's other commercial offerings.
When deploying ESXi (aka 'vSphere Hypervisor'), it's strongly recommended to secure the management port using a VPN such as WireGuard VPN. It's also highly recommended to enable the NTP service, and deploy a DNS server for the management interface, for both resolution of local VMs that may be deployed, as well as allowing ESXi to resolve the NTP server. For vCenter, an internal DNS server is required, whereas for ESXi it is only highly recommended.
The easiest way to perform ESXi upgrades is via the ssh console. This command can be run to browse for the latest updates to ESXi:
user $ ssh firstname.lastname@example.org root # esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml Name Vendor Acceptance Level Creation Time Modification Time -------------------------------- ------------ ---------------- ------------------- ----------------- ... ESXi-7.0U2c-18426014-standard VMware, Inc. PartnerSupported 2021-08-24T00:00:00 2021-08-24T00:00:00 ESXi-7.0U2c-18426014-no-tools VMware, Inc. PartnerSupported 2021-08-24T00:00:00 2021-08-04T11:40:25 ESXi-7.0U2d-18538813-standard VMware, Inc. PartnerSupported 2021-09-14T00:00:00 2021-09-14T00:00:00 ESXi-7.0U2d-18538813-no-tools VMware, Inc. PartnerSupported 2021-09-14T00:00:00 2021-08-27T10:33:50 ESXi-7.0U2e-19290878-standard VMware, Inc. PartnerSupported 2022-02-15T00:00:00 2022-02-15T00:00:00 ESXi-7.0U2e-19290878-no-tools VMware, Inc. PartnerSupported 2022-02-15T00:00:00 2022-01-31T07:40:31 ESXi-7.0U3c-19193900-standard VMware, Inc. PartnerSupported 2022-01-18T00:00:00 2022-01-18T00:00:00 ESXi-7.0U3c-19193900-no-tools VMware, Inc. PartnerSupported 2022-01-18T00:00:00 2022-01-12T00:03:42
This command can take up to a minute or so to produce output, but will show an exhaustive list of updates that can be installed. Some of these updates require that the ESXi server be placed into "maintenance mode" (via web UI) prior to the update being applied.
To apply a specific update, a command like the following can be run:
Name resolution and outbound Internet access from the management network must be functioning for this to work. The "standard" upgrade is recommended.
root # esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-7.0U2d-18538813-standard
After the update is applied, the host must generally be restarted, and then can be moved out of maintenance mode via the web UI.
Deploying vCenter via VCSA
As of version 7, vCenter is deployed using the vCenter Server Applicance, also called "VCSA". This is a downloadable ISO that is used to install a new VM which will house the appliance. You will need to have at least one vSphere Hypervisor (aka ESXi) host set up to deploy the VCSA. VCSA deployment notes can be found here: https://docs.vmware.com/en/VMware-vSphere/7.0/vsphere-vcenter-server-70-installation-guide.pdf
VMware Licensing: The "Processor"
Commericial VMware products require licenses. These licenses center around the definition of "processor". In VMware terminology, a "processor" is a physical CPU (one per socket), capped at 16 physical cores.
Let's look at an example of how this plays out in reality. Assume you have a vSphere/vCenter "32 Processor" license, and you have one server. This server has two of the following physical CPUs in it:
Intel(R) Xeon(R) Gold 6230 CPU @ 2.10GHz
Each of these processors has 20 physical cores, and 40 hyper-threaded cores. So -- is the "32 Processor" license sufficient for your purposes?
It turns out that the answer is "yes, it is more than enough." Let's do the math and see how this licensing works. We have two physical processors in our server, but they are more than 16 physical cores each. A license for Intel CPU socket 1 is covered by a single VMware processor license, but leaving 4 remaining cores since each VMware license only covers up to 16 per license. Another license for Intel CPU socket 2 is covered by a single VMware processor license, leaving another remaining 4 cores uncovered. We can then cover these leftover "extra" cores from each Intel Processor -- 8 physical cores in total -- with a third single processor license. This means that our single 40-core/80-thread server just used up 3 of our 32 Processor licenses for vSphere/vCenter.
If you are planning to deploy LXD on a virtual machine, then you will likely be using Linux bridging for your containers. If you are mapping this bridge into a VMware virtual switch, then you will need to enable "promiscuous mode" on the VMware virtual switch in order for the bridging on the Linux VM side to work properly. Once this is done, any LXD containers bridged into the vSwitch will be able to communicate with other devices outside the VM itself as expected.