9.0

ManualsBrandsVMware ManualsApplicationsWorkstation

Table Of Contents

VMCI Sockets Programming Guide

VMCI Sockets Programming Guide

24 VMware, Inc.

Isolation Options in VMX

ESX/ESXi4.0toESXi5.0provide.vmxoptionsforVMCIisolation.AsofESXi5.1,theseoptionshavenoeffect.

[vmci0.unrestricted = FALSE|TRUE]

Whenitsvmci.unrestrictedoptionwassetTRUE,avirtualmachinecouldcommunicatewithallhost

endpointsandothervirtualmachinesthathadvmci0.unrestrictedsetTRUE.

[vmci0.domain = <domainName>]

(ESX/ESXionly)Allvirtualmachinesandhostapplicationsweremembersofthedefaultdomain("")null

string,bydefault.Ifthevmci0.domainoptionspecifiedanon‐defaultdomain,thenthevirtualmachine

couldcommunicateonlywiththehypervisorandothervirtualmachinesinthesamedomain.Thiswasto

organizevi

rtualmachinesintogroupsthatcouldcommunicatewitheachother.

AsofESXi5.1,orearlierwhenconfiguredforrestrictedcommunication,theVMCIdevicehasasecurityprofile

similartoanyotherdevicesuchaskeyboard,videomonitor,mouse,ormotherboard.Guestcommunications

dependontheVMCIapplicationsrunningonthehost.VMCIinits

elfdoesnotexposeanyguestinformation.

Isolation of Virtual Machines

ThissectiondescribesVMCIisolationmechanismsastheyapplytoVMwareWorkstationandESXihosts.

Isolation in Workstation

AfterWorkstation8.x,orearlierwithitamarkedisolated,virtualmachineisallowedtointeractonlywith

hypervisorservices(contextID=0).Thisallows useofVMwareToolswithoutanyproblemsevenforan

isolatedvirtualmachine.Anisolatedvirtualmachineisnotallowedtointeractwithothervirtualmach

ines.

Avirtualmachineisisolatedbydefault,butWorkstation8.xandearlierhadacheckboxtoremoveitsisolation.

Isolation in ESX/ESXi

ESX/ESXi4.0untilESXi5.0supportedtheabilitytohaveseveralgroupsofvirtualmachinesperphysicalhost,

whereavirtualmachinecouldseeonlythevirtualmachinesthatwereamemberofthesamegroup.Groups

werenothierarchicalandcouldnotoverlap.Eachhostcouldbelongtooneormo

reVMCIdomains,andguest

virtualmachinescouldseeothervirtualmachinesinthesamedomain,andthehypervisorcontext.Context

IDshadtobeuniqueacrossdomainsonthehost.VMCIdomainswerespecifiedinavirtualmachine’s.vmx

file–nouserinterfacewasprovidedtomanageVMCIdomains.

AsofESXi5.

1,andearlierifmarkedisolated,avirtualmachinehasthesamerestrictionsasforWorkstation.

Trusted VMCI Sockets

VMCIdeviceinterfacesarenotavailabletouser‐levelprocesses,whichmustaccessitusingVMCISockets.

TheVMCISocketsAPIpermitssomehostapplicationstocreatetrustedVMCISockets,whichmaybeusedfor

communication withisolatedguestvirtualmachines.Themechanismfordecidingwhetherahostapplication

createsatrustedVM

CIsocketdependsonthehostoperatingsystem:

 Linux–AprocesswiththecapabilityCAP_NET_ADMINcancreatetrustedendpoints.

 ESXi–Asystemprocesswithaccessprivilegesdgram_vsocket_trustedorstream_vsocket_trusted

cancreatetrusteddatagramorstreamsockets,respectively.

 Creationoftrustedendpointsisnotallowedonotherhostoperatingsystems.

OnWorkstation8andFusion4,ahostapplicationrunningwiththesameuserIDasthevirtualmachineis

consideredtrusted.

TheVMCISocketsAPIalsosupportsthenotionofreservedports(portsnumbersunder1024),whereaprocess

mus

thavecapabilityCAP_NET_BIND_SERVICEsoitcanbindtoaportwithinthereserved<1024portrange.

OnWindows,onlymembersoftheAdministratorgroupareallowedtobindtoportsunder1024.