VMware on 卡螺絲https://caloskao.org/categories/vmware/Recent content in VMware on 卡螺絲Hugo -- gohugo.iozh-HantThu, 07 May 2026 15:42:17 +0800在 ESXi 建立自訂 Firewall Rulehttps://caloskao.org/vsphere-esxi-create-custom-firewall-rule/Tue, 28 Apr 2026 00:00:00 +0800https://caloskao.org/vsphere-esxi-create-custom-firewall-rule/<img src="https://caloskao.org/images/logo/vmware.png" alt="Featured image of post 在 ESXi 建立自訂 Firewall Rule" /><p>ESXi 的 firewall 預設只開放少數必要的出入站流量。如果需要讓 ESXi 主機本身連到特定 port(例如把系統 log 轉送到 Graylog),就需要新增自訂規則。</p> <p>本文以開放 ESXi outbound TCP/UDP port 5140(Graylog syslog)為例。</p> <h2 id="準備啟用-ssh">準備:啟用 SSH </h2><p>在 vSphere 介面啟用 ESXi SSH,登入後進行後續操作。</p> <h2 id="建立規則設定檔">建立規則設定檔 </h2><p>ESXi 的 firewall 規則以 XML 格式存放在 <code>/etc/vmware/firewall/</code>。新增規則只需複製一份現有範本再修改:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="nb">cd</span> /etc/vmware/firewall </span></span><span class="line"><span class="cl">cp vltd-firewall.xml graylog-syslog.xml </span></span></code></pre></td></tr></table> </div> </div><p>修改 <code>graylog-syslog.xml</code>,定義 TCP 和 UDP 兩條規則:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-xml" data-lang="xml"><span class="line"><span class="cl"><span class="nt">&lt;ConfigRoot&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;service</span> <span class="na">id=</span><span class="s">&#39;0000&#39;</span><span class="nt">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;id&gt;</span>graylog-syslog-tcp<span class="nt">&lt;/id&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;rule</span> <span class="na">id=</span><span class="s">&#39;0000&#39;</span><span class="nt">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;direction&gt;</span>outbound<span class="nt">&lt;/direction&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;protocol&gt;</span>tcp<span class="nt">&lt;/protocol&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;porttype&gt;</span>dst<span class="nt">&lt;/porttype&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;port&gt;</span>5140<span class="nt">&lt;/port&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;/rule&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;enabled&gt;</span>false<span class="nt">&lt;/enabled&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;required&gt;</span>false<span class="nt">&lt;/required&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;/service&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;service</span> <span class="na">id=</span><span class="s">&#39;0001&#39;</span><span class="nt">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;id&gt;</span>graylog-syslog-udp<span class="nt">&lt;/id&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;rule</span> <span class="na">id=</span><span class="s">&#39;0000&#39;</span><span class="nt">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;direction&gt;</span>outbound<span class="nt">&lt;/direction&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;protocol&gt;</span>udp<span class="nt">&lt;/protocol&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;porttype&gt;</span>dst<span class="nt">&lt;/porttype&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;port&gt;</span>5140<span class="nt">&lt;/port&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;/rule&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;enabled&gt;</span>false<span class="nt">&lt;/enabled&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;required&gt;</span>false<span class="nt">&lt;/required&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;/service&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;/ConfigRoot&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="重新載入-firewall-規則">重新載入 Firewall 規則 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">esxcli network firewall refresh </span></span></code></pre></td></tr></table> </div> </div><p>確認新規則已出現:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="c1"># esxcli network firewall ruleset list | grep graylog</span> </span></span><span class="line"><span class="cl">graylog-syslog-tcp <span class="nb">false</span> </span></span><span class="line"><span class="cl">graylog-syslog-udp <span class="nb">false</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="啟用規則">啟用規則 </h2><p>用 CLI 指定規則 ID 啟用,或在 vSphere Web GUI 的 <strong>Manage &gt; Security &amp; users &gt; Firewall</strong> 勾選:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">esxcli network firewall ruleset <span class="nb">set</span> --ruleset-id<span class="o">=</span>graylog-syslog-udp --enabled<span class="o">=</span><span class="nb">true</span> </span></span></code></pre></td></tr></table> </div> </div><hr> <blockquote> <p><strong>References</strong></p> <ul> <li><a class="link" href="https://kb.vmware.com/s/article/2008226?lang=en_US" target="_blank" rel="noopener" >Custom Firewall Rules in ESXi | VMware KB 2008226</a></li> <li><a class="link" href="https://communities.vmware.com/t5/ESXi-Discussions/How-can-I-add-ESXi-v7-custom-firewall-rule-set/td-p/2915472" target="_blank" rel="noopener" >How can I add ESXi v7 custom firewall rule set? | VMware Communities</a></li> <li><a class="link" href="https://communities.vmware.com/t5/ESXi-Discussions/custom-firewall-setting-in-ESXI7-0-operation-not-permitted/m-p/2872876#M278564" target="_blank" rel="noopener" >Custom firewall setting in ESXi 7.0 — operation not permitted | VMware Communities</a></li> </ul> </blockquote>壓縮 VMware 虛擬機的 VMDK 磁碟大小https://caloskao.org/vmware-esxi-shrink-vmdk/Fri, 30 Jan 2026 00:00:00 +0800https://caloskao.org/vmware-esxi-shrink-vmdk/<img src="https://caloskao.org/images/logo/vmware.png" alt="Featured image of post 壓縮 VMware 虛擬機的 VMDK 磁碟大小" /><p>在 VM 中刪除大量檔案後,VMDK 的占用空間並不會自動縮小——VMware 看不到「哪些 sector 現在是空的」。要真正釋放空間,需要在 guest OS 內執行一套清零流程,再由 VMware Tools 壓縮磁碟。</p> <p>以下步驟在 Linux guest 上執行。</p> <h2 id="step-1磁碟碎片整理">Step 1:磁碟碎片整理 </h2><p>先整理 ext4 filesystem,讓後續的 zerofill 更有效率:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo e4defrag / </span></span></code></pre></td></tr></table> </div> </div><p>部分檔案(symlink、device file)無法碎片整理,出現相關錯誤可忽略。</p> <h2 id="step-2零填充空閒空間">Step 2:零填充空閒空間 </h2><p>用零覆蓋所有未使用的 sector,讓 VMware 識別出哪些空間可以回收:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">dd <span class="k">if</span><span class="o">=</span>/dev/zero <span class="nv">of</span><span class="o">=</span>wipefile <span class="nv">bs</span><span class="o">=</span>1M<span class="p">;</span> sync<span class="p">;</span> rm wipefile </span></span></code></pre></td></tr></table> </div> </div><p>這個指令會把磁碟寫滿(產生 <code>wipefile</code>),同步後再刪除,空閒空間就全部變成連續的零值 sector。</p> <h2 id="step-3執行壓縮">Step 3:執行壓縮 </h2><p>透過 VMware Tools 通知 hypervisor 壓縮磁碟:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo vmware-toolbox-cmd disk shrinkonly </span></span></code></pre></td></tr></table> </div> </div><p>完成後 VMDK 檔案大小就會縮小。</p> <hr> <blockquote> <p><strong>References</strong></p> <ul> <li><a class="link" href="https://superuser.com/a/1116213/904739" target="_blank" rel="noopener" >How to shrink a VMware virtual disk - Super User</a></li> </ul> </blockquote>ovftool 失敗:vim.fault.FileNotFoundhttps://caloskao.org/ovftool-error-vim-fault-file-not-found/Thu, 05 Dec 2024 00:00:00 +0800https://caloskao.org/ovftool-error-vim-fault-file-not-found/<img src="https://caloskao.org/images/logo/vmware.png" alt="Featured image of post ovftool 失敗:vim.fault.FileNotFound" /><p>在 ESXi 中匯入 OVA / OVF 範本只能透過上傳本機檔案,無法從 ESXi 上的 datastore 匯入,因此需透過 <a class="link" href="https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vsphere.vmc-aws-manage-data-center-vms.doc/GUID-6DA60A4B-323A-4F11-BD90-834D601F89BB.html" target="_blank" rel="noopener" ><code>ovftool</code></a> 來完成這件事情。但執行時碰到了 <code>vim.fault.FileNotFound</code>。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">calos@ASUS-ESC500G3:~ ovftool <span class="se">\ </span></span></span><span class="line"><span class="cl"> --net:LAN_172.16.1.X<span class="o">=</span>VM<span class="se">\ </span>Network <span class="se">\ </span></span></span><span class="line"><span class="cl"> --net:LAN2_172.16.2.X<span class="o">=</span>VM<span class="se">\ </span>Network <span class="se">\ </span></span></span><span class="line"><span class="cl"> --net:LAN3_172.16.3.X<span class="o">=</span>VM<span class="se">\ </span>Network <span class="se">\ </span></span></span><span class="line"><span class="cl"> --net:DMZ_172.16.60.X<span class="o">=</span>VM<span class="se">\ </span>Network <span class="se">\ </span></span></span><span class="line"><span class="cl"> https://172.16.1.10/folder/templates/template_bastion-host.ovf<span class="se">\?</span>dcPath<span class="se">\=</span>ha%252ddatacenter<span class="se">\&amp;</span>dsName<span class="se">\=</span>datastore1 <span class="se">\ </span></span></span><span class="line"><span class="cl"> vi://172.16.1.10 </span></span><span class="line"><span class="cl">Enter login information <span class="k">for</span> <span class="nb">source</span> https://172.16.1.10/folder/templates/ </span></span><span class="line"><span class="cl">Username: calos </span></span><span class="line"><span class="cl">Password: *************** </span></span><span class="line"><span class="cl">Opening OVF source: https://172.16.1.10/folder/templates/template_bastion-host.ovf </span></span><span class="line"><span class="cl">The manifest validates </span></span><span class="line"><span class="cl">Enter login information <span class="k">for</span> target vi://172.16.1.10/ </span></span><span class="line"><span class="cl">Username: calos </span></span><span class="line"><span class="cl">Password: *************** </span></span><span class="line"><span class="cl">Opening VI target: vi://calos@172.16.1.10:443/ </span></span><span class="line"><span class="cl">Error: </span></span><span class="line"><span class="cl"> - A general system error occurred: Fault cause: vim.fault.FileNotFound </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Completed with errors </span></span></code></pre></td></tr></table> </div> </div><p>查了一下原因,發現是 OVF 本身的 CD/DVD 還掛著 ISO,導致失敗。參考了<a class="link" href="https://communities.vmware.com/thread/496484" target="_blank" rel="noopener" >這篇</a>使用 <code>--noImageFiles</code>,但依然沒有成功。</p> <p>最後嘗試直接編輯 OVF 檔,把 CD/DVD 裝置直接刪掉:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-xml" data-lang="xml"><span class="line"><span class="cl"><span class="c">&lt;!-- 下關鍵字找 DVD,找到這節把它刪掉 --&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;Item</span> <span class="na">ovf:required=</span><span class="s">&#34;false&#34;</span><span class="nt">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;rasd:AddressOnParent&gt;</span>0<span class="nt">&lt;/rasd:AddressOnParent&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;rasd:AutomaticAllocation&gt;</span>false<span class="nt">&lt;/rasd:AutomaticAllocation&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;rasd:ElementName&gt;</span>CD/DVD drive 1<span class="nt">&lt;/rasd:ElementName&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;rasd:InstanceID&gt;</span>8<span class="nt">&lt;/rasd:InstanceID&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;rasd:Parent&gt;</span>4<span class="nt">&lt;/rasd:Parent&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;rasd:ResourceSubType&gt;</span>vmware.cdrom.iso<span class="nt">&lt;/rasd:ResourceSubType&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;rasd:ResourceType&gt;</span>15<span class="nt">&lt;/rasd:ResourceType&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;/Item&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><p>再次執行,還是失敗了。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-plain" data-lang="plain"><span class="line"><span class="cl">Opening OVF source: https://172.16.1.10/folder/templates/template_bastion-host.ovf </span></span><span class="line"><span class="cl">The manifest validates </span></span><span class="line"><span class="cl">Error: SHA digest of file template_bastion-host.ovf does not match manifest </span></span><span class="line"><span class="cl">Completed with errors </span></span></code></pre></td></tr></table> </div> </div><p>這邊是因為當初將 OVF 匯出時,會同時倒出一個 <code>.mf</code> 檔案,裡面記錄了 VMDK 與 OVF 檔的 hash,可用來檢測是否被更改過。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-plain" data-lang="plain"><span class="line"><span class="cl">SHA1(template_bastion-host-disk1.vmdk)= 6f9c36327d0b00e4d52d93484c54fa625d4a48f2 </span></span><span class="line"><span class="cl">SHA1(template_bastion-host.ovf)= 71aafebf0a44f2b59f00af0c71a7ef26ff7869e5 </span></span></code></pre></td></tr></table> </div> </div><p>這邊有兩個處理方式:</p> <ol> <li>重新對 OVF 檔產生一個相應的 hash,換掉原本的 hash sum,然後把更改過的 MF 檔覆蓋上去</li> <li>直接砍掉 MF 檔</li> </ol> <p>這裡使用第一種方法,因為 MF 檔裡面使用的是 <code>SHA1</code>,因此這邊使用 <code>sha1sum</code> 產生 OVF 檔的 hash sum,然後蓋掉原本的 hash sum</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">calos@ASUS-ESC500G3:~ $ sha1sum template_bastion-host.ovf </span></span><span class="line"><span class="cl">aacf02cdea9311e0e2dd96d37eb41cf217705541 template_bastion-host.ovf </span></span></code></pre></td></tr></table> </div> </div><p>再次執行 <code>ovftool</code>,終於成功了!</p> <p> <img src="https://caloskao.org/post/ovftool-error-vim-fault-file-not-found/img_264499660662_hu_62cc0a2d4e1db31a.jpg" width="1920" height="634" srcset="https://caloskao.org/post/ovftool-error-vim-fault-file-not-found/img_264499660662_hu_62cc0a2d4e1db31a.jpg 1280w, https://caloskao.org/post/ovftool-error-vim-fault-file-not-found/img_264499660662_hu_63e6874ceec31364.jpg 1920w" sizes="100vw" loading="lazy" alt="ovftool 成功執行截圖" class="gallery-image" data-flex-grow="302" data-flex-basis="726px" ></p> <hr> <blockquote> <p><strong>References</strong></p> <ul> <li><a class="link" href="https://communities.vmware.com/thread/496484" target="_blank" rel="noopener" >ovftool fails with Error: vim.fault.FileNotFound |VMware Communities</a></li> <li><a class="link" href="https://www.virtuallyghetto.com/2012/03/how-to-deploy-ovf-located-on-esxi.html" target="_blank" rel="noopener" >How to Deploy an OVF Located On ESXi Datastore Using ovftool</a></li> <li><a class="link" href="http://michaelstoica.com/ovftool-fails-with-error-vimfault-filenotfound/" target="_blank" rel="noopener" >Ovftool fails with error: vimfault.FileNotFound – Michael Stoica</a></li> <li><a class="link" href="https://medium.com/@rootedshell/failed-to-open-virtual-machine-sha1-digest-of-file-xxxxxxxx779-disk1-vmdk-does-not-match-manifest-7d0d94db4451" target="_blank" rel="noopener" >Failed to open virtual machine: SHA1 digest of file xxxxxxxx779-disk1.vmdk does not match manifest. | by Rajesh D | Medium</a></li> </ul> </blockquote>