Isolation of Virtual Machines

This section describes VMCI isolation mechanisms as they apply to VMware Workstation and ESXi hosts.

Isolation in Workstation

After Workstation 8.x, or earlier with it a marked isolated, virtual machine is allowed to interact only with hypervisor services (context ID = 0). This allows use of VMware Tools without any problems even for an isolated virtual machine. An isolated virtual machine is not allowed to interact with other virtual machines.

A virtual machine is isolated by default, but Workstation 8.x and earlier had a check box to remove its isolation.

Isolation in ESX/ESXi

ESX/ESXi 4.0 until ESXi 5.0 supported the ability to have several groups of virtual machines per physical host, where a virtual machine could see only the virtual machines that were a member of the same group. Groups were not hierarchical and could not overlap. Each host could belong to one or more VMCI domains, and guest virtual machines could see other virtual machines in the same domain, and the hypervisor context. Context IDs had to be unique across domains on the host. VMCI domains were specified in a virtual machine’s .vmx file – no user interface was provided to manage VMCI domains.

As of ESXi 5.1, and earlier if marked isolated, a virtual machine has the same restrictions as for Workstation.

Trusted vSockets

VMCI device interfaces are not available to user-level processes, which must access it using vSockets.

The vSockets API permits some host applications to create trusted vSockets, which may be used for communication with isolated guest virtual machines. The mechanism for deciding whether a host application creates a trusted VMCI socket depends on the host operating system:

■	Linux – A process with the capability CAP_NET_ADMIN can create trusted endpoints.

■	ESXi – A system process with access privileges dgram_vsocket_trusted or stream_vsocket_trusted can create trusted datagram or stream sockets, respectively.

■	Creation of trusted endpoints is not allowed on other host operating systems.

On Workstation 8 and Fusion 4, a host application running with the same user ID as the virtual machine is considered trusted.

The vSockets API also supports the notion of reserved ports (with port numbers under 1024), where a process must have capability CAP_NET_BIND_SERVICE so it can bind to a port within the reserved < 1024 port range. On Windows, only members of the Administrator group are allowed to bind to ports under 1024.