Let me start by saying that I see embedded hypervisors as a large part of server virtualization’s future. Embedded hypervisors run from energy efficient flash memory as opposed to a local hard disk, and they contain a smaller code base and minimal driver set, thus limiting their overall attack profile.
At VMworld Europe, several VMware independent hardware vendor (IHV) partners announced availability of VMware’s embedded hypervisor, ESX 3i, on their server platforms. You’ll find more information on vendor support in this VMware press release – VMware Announces Agreements to Embed VMware ESX 3i Hypervisor Across Broad Lines of Servers from Dell, Fujitsu-Siemens, HP and IBM.
For many VMware shops, ESX 3i’s small size and small attack profile may be more fantasy than reality. The problem with ESX 3i is the present reality of many large ESX environments, many of which incorporate third party applications in their ESX management stack. ESX 3i’s preferred management methodology is via VMware’s SDK, as ESX 3i does not have the Red Hat Enterprise Linux (RHEL) 3 based console OS that’s common to traditional ESX server deployments. The console is an issue for many third party vendors in the VMware ecosystem because their applications are designed to run on the ESX console OS. Several application vendors that I spoke with at VMworld stated that it will be several months before their applications can exclusively manage an ESX server remotely via the SDK. In the interim, they will continue to require the ESX console in order to manage ESX server. That means that if you purchase an ESX 3i-based server, you’re going to need to install the ESX console anyway. Remember that it’s the absence of the console that gives ESX 3i its primary security benefits. So you’re not going to be able to realize the full benefits of ESX 3i until all third party applications that you use to manage ESX environments fully support managing ESX via the SDK.
If you’re evaluating ESX management applications for an ESX 3i deployment, the question at the top of your list for each application vendor should be “How do you interact with ESX? Do you use the SDK exclusively or do you require the ESX console?” If the vendor requires the console and you wish to deploy ESX 3i as it was intended (without the RHEL 3-based ESX console), then you’ll likely have to rule out some ESX management vendors in the short term. VMware is committed to supporting the ESX console OS for another two years, so third party ESX management vendors have plenty of time to update their products. If you view the ESX console OS as a security liability that you’d rather not have to install, then you should push third party ESX management vendors to exclusively support the VMware SDK as quickly as possible.
Note: Originally posted to Burton Group’s Data Center Strategies blog.
#1 by Alex Barrett - March 7th, 2008 at 15:21
Chris,
Back in September, I reported about how the lack of a service console in ESX 3i would cause grief to end users (see VMware pros predict rocky transition to embedded ESX 3i), but I didn’t imagine at the time that VMware’s own ISV partners would still be struggling to support ESX 3i seven months later. So far, you can argue that it hasn’t really been a problem since 3i is not shipping yet, but what is taking them so long? Thanks for the heads-up.
#2 by Chris - March 7th, 2008 at 23:34
For several vendors, supporting ESX 3i is a code re-write. That’s the biggest problem. They are going from running as a local Linux-based agent to full remote execution, which has resulted in significant changes to their existing code base.
#3 by jaymemaurice - June 11th, 2009 at 14:02
When you use the remote command line on 3i to backup the configuration… it actually creates a gzip fille with a tgz file with an/etc directory. I wonder how stripped ESX is… it still seems to be a *NIX, and still has an SYSV style /etc/sysconfig/ directory… try it.