Highlighted
Contributor
Contributor

Is it possible to get the ESX 3.x Host ip from within the Guest OS?

Is it possible to get the ESX 3.X Host Ip from with the Guest operating System.If so,how to get?

0 Kudos
9 Replies
Highlighted
User Moderator
User Moderator

Hello,

No, and thankfully it is not. This would be a huge security concern considering that in most cases, VMs are on different networks from the ESX Server!

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, Copyright 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
Highlighted
Contributor
Contributor

you could use dns.

0 Kudos
Highlighted
User Moderator
User Moderator

Hello,

In order to use DNS, you would need to get the ESX Host Name and that is not available either from within the VM. It would be a serious security leakage....

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, Copyright 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
Highlighted
Immortal
Immortal

If you are using VirtualCenter, you could query the database, and determine which host the VM is on.

It would only take a vbs, wsh, etc to be able to do it.

Jase McCarty

Jase McCarty - Field SA @PureStorage - @jasemccarty
0 Kudos
Highlighted
User Moderator
User Moderator

Hello,

Yes, but you would need the following:

1) Access to the VC Server, which should not be on the same network as your VMs.

2) Either the hostname or IP address of the VC Server, which is also not available from within the VM.

If you know the names of everything, of course you can write some scripts, and they are on the same network etc. However, if you do NOT know the names/addresses of the hosts involved, then it is pretty much impossible to get from within the VM. This was discussed in depth on the Security and Compliance forum. Consider the case where you do know and write the script, and now your VM is hacked (if the VM is running windows, that can happen in seconds), now the hacker knows the Name and IP address of your virtualization servers.... They could then craft an attack against them... Due to this risk, I would not create such a script within the VM. I would use do this on the ESX/VC Server side of the equation.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, Copyright 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
Highlighted
Immortal
Immortal

The question was "How To", not "Should I".

I don't have any issues with running a script like this, as long as the network is locked down properly.

As an Engineer in a pretty respectable environment during the week, and a Senior NCO in a military position, I have seen both sides of the security argument.

Both my civilian and military jobs have a huge amount of security in place.

What I have found, is often times, security trumps the ability to work, or at least work effectively.

At the same time, the business units, sometimes trump security to make the business work.

I have seen desktop and server lockdown policies that make routine tasks take huge amounts of time to complete. Tasks that would take a competent admin 30 minutes to complete, take a month to complete, because you have to physically touch every system.

In the end, in every situation, the cost factor and managability of managing systems securely (with risk in mind) has always won in the end. Do you want to have 10 times the number of personnel to manage systems, to make systems useful & secure, because a little extra security has crippled your ability to manage those systems.

The big question is, what is the risk, what is the chance of risk, what are we doing to mitigate the risk, and so on? That being said, who is going to be responsible for the risk?

Please don't take this post as a "Security is a pain" gripe session. It is not. The issue at hand is, what is it going to take to "Run the business" at an acceptable risk, with the best utilization, and the best cost factor.

I am 100% committed to security in my positions, and will not sacrifice security for functionality, if there is no way to keep it secure. If there is no way to secure it, why look at a solution (whatever it may be), if it can't be. That would simply be a bad decision.

Respectfully,

Jase McCarty

Jase McCarty - Field SA @PureStorage - @jasemccarty
0 Kudos
Highlighted
User Moderator
User Moderator

Hello,

I moved this thread to the Security and Compliance Forum.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, Copyright 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
Highlighted
User Moderator
User Moderator

Hello Jase,

Absolutely, there is always the question of Usability, Functionality, and Security. I tend to lean on the Security side myself. But in general, in the business world usability and functionality tend to win out. As for How-To vs. Should I.... I think they both go hand in hand, in order to make this work as you will call outside systems as it is not possible from within the VM. In this case there is always the question of 'Should I' as to remotely call VC, you need to store credentials as well as IP or Hostnames on the VM within the script. So a little judicious thought about Security is warranted I believe.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, Copyright 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
Highlighted
Immortal
Immortal

Judicious thought about security is always warranted. I 100% agree!

With regards to the OP's question, I don't know why this would be necessary, or required. VC is the place to look to find where a VM is residing.

Jase McCarty

Jase McCarty - Field SA @PureStorage - @jasemccarty
0 Kudos