1virt-v2v-input-vmware(1) Virtualization Support virt-v2v-input-vmware(1)
2
6 virt-v2v-input-vmware - Using virt-v2v to convert guests from VMware
7
9 virt-v2v -i vmx GUEST.vmx [-o* options]
10 virt-v2v -i vmx
12 -it ssh
13 -ip passwordfile
14 'ssh://root@esxi.example.com/vmfs/volumes/datastore1/guest/guest.vmx'
15 [-o* options]
16 virt-v2v
18 -ic 'vpx://root@vcenter.example.com/Datacenter/esxi?no_verify=1'
19 -it vddk
20 -io vddk-libdir=/path/to/vmware-vix-disklib-distrib
21 -io vddk-thumbprint=xx:xx:xx:...
22 "GUEST NAME"
23 [-o* options]
24 virt-v2v -i ova DISK.ova [-o* options]
26 virt-v2v
28 -ic 'vpx://root@vcenter.example.com/Datacenter/esxi?no_verify=1'
29 "GUEST NAME" [-o* options]
30
32 This page documents how to use virt-v2v(1) to convert guests from
33 VMware. There are currently five different methods to access VMware:
34 -i vmx GUEST.vmx
36 Full documentation: "INPUT FROM VMWARE VMX"
37 If you either have a GUEST.vmx file and one or more GUEST.vmdk disk
39 image files, or if you are able to NFS-mount the VMware storage,
40 then you can use the -i vmx method to read the source guest.
41 -i vmx -it ssh ssh://...
43 Full documentation: "INPUT FROM VMWARE VMX"
44 This is similar to the method above, except it uses an SSH
46 connection to ESXi to read the GUEST.vmx file and associated disks.
47 This requires that you have enabled SSH access to the VMware ESXi
48 hypervisor - in the default ESXi configuration this is turned off.
49 -ic vpx://... -it vddk
51 -ic esx://... -it vddk
52 Full documentation: "INPUT FROM VDDK"
53 This method uses the proprietary VDDK library (a.k.a. VixDiskLib)
55 to access the VMware vCenter server or VMware ESXi hypervisor.
56 If you have the proprietary library then this method is usually the
58 fastest and most flexible. If you don't have or don't want to use
59 non-free software then the VMX or SSH methods above will be best.
60 -i ova DISK.ova
62 Full documentation: "INPUT FROM VMWARE OVA"
63 With this method you must first export the guest (eg. from vSphere)
65 as an .ova file, which virt-v2v can then read directly. Note this
66 method only works with files exported from VMware, not OVA files
67 that come from other hypervisors or management systems, since OVA
68 is only a pretend standard and is not compatible or interoperable
69 between vendors.
70 -ic vpx://... "GUEST NAME"
72 Full documentation: "INPUT FROM VMWARE VCENTER SERVER"
73 If none of the above methods is available, then use this method to
75 import a guest from VMware vCenter. This is the slowest method.
76
78 Virt-v2v is able to import guests from VMware’s vmx files.
79 This is useful in two cases:
81 1. VMware virtual machines are stored on a separate NFS server and you
83 are able to mount the NFS storage directly.
84 2. You have enabled SSH access to the VMware ESXi hypervisor and there
86 is a "/vmfs/volumes" folder containing the virtual machines.
87 If you find a folder of files called guest.vmx, guest.vmxf, guest.nvram
89 and one or more .vmdk disk images, then you can use this method.
90 VMX: Guest must be shut down
92 The guest must be shut down before conversion starts. If you don't
93 shut it down, you will end up with a corrupted VM disk on the target.
94 With other methods, virt-v2v tries to prevent concurrent access, but
95 because the -i vmx method works directly against the storage, checking
96 for concurrent access is not possible.
97 VMX: Access to the storage containing the VMX and VMDK files
99 If the vmx and vmdk files aren't available locally then you must either
100 mount the NFS storage on the conversion server or enable passwordless
101 SSH on the ESXi hypervisor.
102 VMX: SSH authentication
104 You can use SSH password authentication, by supplying the name of a
106 file containing the password to the -ip option (note this option does
107 not take the password directly).
108 If you are not using password authentication, an alternative is to use
110 ssh-agent, and add your ssh public key to
111 /etc/ssh/keys-root/authorized_keys (on the ESXi hypervisor). After
112 doing this, you should check that passwordless access works from the
113 virt-v2v server to the ESXi hypervisor. For example:
114 $ ssh root@esxi.example.com
116 [ logs straight into the shell, no password is requested ]
117 VMX: Construct the SSH URI
119 When using the SSH input transport you must specify a remote
121 "ssh://..." URI pointing to the VMX file. A typical URI looks like:
122 ssh://root@esxi.example.com/vmfs/volumes/datastore1/my%20guest/my%20guest.vmx
124 Any space must be escaped with %20 and other non-ASCII characters may
126 also need to be URI-escaped.
127 The username is not required if it is the same as your local username.
129 You may optionally supply a port number after the hostname if the SSH
131 server is not listening on the default port (22).
132 VMX: Importing a guest
134 To import a vmx file from a local file or NFS, do:
135 $ virt-v2v -i vmx guest.vmx -o local -os /var/tmp
137 To import a vmx file over SSH, add -it ssh to select the SSH transport
139 and supply a remote SSH URI:
140 $ virt-v2v \
142 -i vmx -it ssh \
143 "ssh://root@esxi.example.com/vmfs/volumes/datastore1/guest/guest.vmx" \
144 -o local -os /var/tmp
145 Virt-v2v processes the vmx file and uses it to find the location of any
147 vmdk disks.
148
150 Virt-v2v is able to import guests using VMware’s proprietary VDDK
151 library (a.k.a. VixDiskLib).
152 VDDK: Prerequisites
154 1. As the VDDK library is not open source, and the license of this
155 library does not permit redistribution or commercial use, you must
156 obtain VDDK yourself and satisfy yourself that your usage of the
157 library is permitted by the license.
158 2. nbdkit ≥ 1.6 is recommended, as it ships with the VDDK plugin
160 enabled unconditionally.
161 3. You must find the SSL "thumbprint" of your VMware server. How to
163 do this is explained in nbdkit-vddk-plugin(1), also available at
164 the link above.
165 4. VDDK imports require a feature added in libvirt ≥ 3.7.
167 VDDK: ESXi NFC service memory limits
169 In the verbose log you may see errors like:
170 nbdkit: vddk[3]: error: [NFC ERROR] NfcFssrvrProcessErrorMsg:
172 received NFC error 5 from server: Failed to allocate the
173 requested 2097176 bytes
174 This seems especially common when there are multiple parallel
176 connections open to the VMware server.
177 These can be caused by resource limits set on the VMware server. You
179 can increase the limit for the NFC service by editing
180 /etc/vmware/hostd/config.xml and adjusting the "<maxMemory>" setting:
181 <nfcsvc>
183 <path>libnfcsvc.so</path>
184 <enabled>true</enabled>
185 <maxMemory>50331648</maxMemory>
186 <maxStreamMemory>10485760</maxStreamMemory>
187 </nfcsvc>
188 and restarting the "hostd" service:
190 # /etc/init.d/hostd restart
192 For more information see https://bugzilla.redhat.com/1614276.
194 VDDK: URI
196 Construct the correct "vpx://" (for vCenter) or "esx://" (for ESXi)
197 URL. It will look something like these:
198 vpx://root@vcenter.example.com/Datacenter/esxi
200 esx://root@esxi.example.com
202 To verify that you have the correct URL, use the virsh(1) command to
204 list the guests on the server:
205 $ virsh -c 'vpx://root@vcenter.example.com/Datacenter/esxi' list --all
207 Enter root's password for vcenter.example.com: ***
208 Id Name State
210 ----------------------------------------------------
211 - Fedora 20 shut off
212 - Windows 2003 shut off
213 If you get an error "Peer certificate cannot be authenticated with
215 given CA certificates" or similar, then you can either import the
216 vCenter host’s certificate, or bypass signature verification by adding
217 the "?no_verify=1" flag:
218 $ virsh -c 'vpx://root@vcenter.example.com/Datacenter/esxi?no_verify=1' list --all
220 You should also try dumping the metadata from any guest on your server,
222 like this:
223 $ virsh -c 'vpx://root@vcenter.example.com/Datacenter/esxi' dumpxml "Windows 2003"
225 <domain type='vmware'>
226 <name>Windows 2003</name>
227 [...]
228 <vmware:moref>vm-123</vmware:moref>
229 </domain>
230 If "<vmware:moref>" does not appear in the metadata, then you need to
232 upgrade libvirt.
233 If the above commands do not work, then virt-v2v is not going to work
235 either. Fix your URI and/or your VMware server before continuing.
236 VDDK: Importing a guest
238 The -it vddk parameter selects VDDK as the input transport for disks.
239 To import a particular guest from vCenter server or ESXi hypervisor,
241 use a command like the following, substituting the URI, guest name and
242 SSL thumbprint:
243 $ virt-v2v \
245 -ic 'vpx://root@vcenter.example.com/Datacenter/esxi?no_verify=1' \
246 -it vddk \
247 -io vddk-libdir=/path/to/vmware-vix-disklib-distrib \
248 -io vddk-thumbprint=xx:xx:xx:... \
249 "Windows 2003" \
250 -o local -os /var/tmp
251 Other options that you might need to add in rare circumstances include
253 -io vddk-config, -io vddk-cookie, -io vddk-nfchostport, -io vddk-port,
254 -io vddk-snapshot, and -io vddk-transports, which are all explained in
255 the nbdkit-vddk-plugin(1) documentation. Do not use these options
256 unless you know what you are doing.
257 VDDK: Debugging VDDK failures
259 The VDDK library can be operated in a verbose mode where it gives
260 (very) verbose messages. Use ‘virt-v2v -v -x’ as usual to enable
261 verbose messages.
262
264 Virt-v2v is able to import guests from VMware’s OVA (Open
265 Virtualization Appliance) files. Only OVAs exported from VMware
266 vSphere will work.
267 OVA: Create OVA
269 To create an OVA in vSphere, use the "Export OVF Template" option (from
270 the VM context menu, or from the File menu). Either "Folder of files"
271 (OVF) or "Single file" (OVA) will work, but OVA is probably easier to
272 deal with. OVA files are really just uncompressed tar files, so you
273 can use commands like "tar tf VM.ova" to view their contents.
274 Create OVA with ovftool
276 You can also use VMware’s proprietary "ovftool":
278 ovftool --noSSLVerify \
280 vi://USER:PASSWORD@esxi.example.com/VM \
281 VM.ova
282 To connect to vCenter:
284 ovftool --noSSLVerify \
286 vi://USER:PASSWORD@vcenter.example.com/DATACENTER-NAME/vm/VM \
287 VM.ova
288 For Active Directory-aware authentication using down-level logon names
290 ("DOMAIN\USER"), you have to express the "\" character in the form of
291 its ascii hex-code (%5c):
292 vi://DOMAIN%5cUSER:PASSWORD@...
294 OVA: Importing a guest
296 To import an OVA file called VM.ova, do:
297 $ virt-v2v -i ova VM.ova -o local -os /var/tmp
299 If you exported the guest as a "Folder of files", or if you unpacked
301 the OVA tarball yourself, then you can point virt-v2v at the directory
302 containing the files:
303 $ virt-v2v -i ova /path/to/files -o local -os /var/tmp
305
307 Virt-v2v is able to import guests from VMware vCenter Server.
308 vCenter ≥ 5.0 is required. If you don’t have vCenter, using OVA or VMX
310 is recommended instead (see "INPUT FROM VMWARE OVA" and/or "INPUT FROM
311 VMWARE VMX").
312 Virt-v2v uses libvirt for access to vCenter, and therefore the input
314 mode should be -i libvirt. As this is the default, you don't need to
315 specify it on the command line.
316 vCenter: URI
318 The libvirt URI of a vCenter server looks something like this:
319 vpx://user@server/Datacenter/esxi
321 where:
323 "user@"
325 is the (optional, but recommended) user to connect as.
326 If the username contains a backslash (eg. "DOMAIN\USER") then you
328 will need to URI-escape that character using %5c: "DOMAIN%5cUSER"
329 (5c is the hexadecimal ASCII code for backslash.) Other
330 punctuation may also have to be escaped.
331 "server"
333 is the vCenter Server (not hypervisor).
334 "Datacenter"
336 is the name of the datacenter.
337 If the name contains a space, replace it with the URI-escape code
339 %20.
340 "esxi"
342 is the name of the ESXi hypervisor running the guest.
343 If the VMware deployment is using folders, then these may need to be
345 added to the URI, eg:
346 vpx://user@server/Folder/Datacenter/esxi
348 For full details of libvirt URIs, see: http://libvirt.org/drvesx.html
350 Typical errors from libvirt / virsh when the URI is wrong include:
352 · Could not find datacenter specified in [...]
354 · Could not find compute resource specified in [...]
356 · Path [...] does not specify a compute resource
358 · Path [...] does not specify a host system
360 · Could not find host system specified in [...]
362 vCenter: Test libvirt connection to vCenter
364 Use the virsh(1) command to list the guests on the vCenter Server like
365 this:
366 $ virsh -c 'vpx://root@vcenter.example.com/Datacenter/esxi' list --all
368 Enter root's password for vcenter.example.com: ***
369 Id Name State
371 ----------------------------------------------------
372 - Fedora 20 shut off
373 - Windows 2003 shut off
374 If you get an error "Peer certificate cannot be authenticated with
376 given CA certificates" or similar, then you can either import the
377 vCenter host’s certificate, or bypass signature verification by adding
378 the "?no_verify=1" flag:
379 $ virsh -c 'vpx://root@vcenter.example.com/Datacenter/esxi?no_verify=1' list --all
381 You should also try dumping the metadata from any guest on your server,
383 like this:
384 $ virsh -c 'vpx://root@vcenter.example.com/Datacenter/esxi' dumpxml "Windows 2003"
386 <domain type='vmware'>
387 <name>Windows 2003</name>
388 [...]
389 </domain>
390 If the above commands do not work, then virt-v2v is not going to work
392 either. Fix your libvirt configuration and/or your VMware vCenter
393 Server before continuing.
394 vCenter: Importing a guest
396 To import a particular guest from vCenter Server, do:
397 $ virt-v2v -ic 'vpx://root@vcenter.example.com/Datacenter/esxi?no_verify=1' \
399 "Windows 2003" \
400 -o local -os /var/tmp
401 where "Windows 2003" is the name of the guest (which must be shut
403 down).
404 Note that you may be asked for the vCenter password twice. This
406 happens once because libvirt needs it, and a second time because
407 virt-v2v itself connects directly to the server. Use -ip filename to
408 supply a password via a file.
409 In this case the output flags are set to write the converted guest to a
411 temporary directory as this is just an example, but you can also write
412 to libvirt or any other supported target.
413 vCenter: Non-administrator role
415 Instead of using the vCenter Administrator role, you can create a
416 custom non-administrator role to perform the conversion. You will
417 however need to give it a minimum set of permissions as follows (using
418 VMware vCenter 6.5):
419 1. Create a custom role in vCenter.
421 2. Enable (check) the following objects:
423 Datastore:
425 - Browse datastore
426 - Low level file operations
427 Sessions:
429 - Validate session
430 Virtual Machine:
432 Interaction:
433 - Guest operating system management by VIX API
434 Provisioning:
435 - Allow disk access
436 - Allow read-only disk access
437 vCenter: Firewall and proxy settings
439 vCenter: Ports
440 If there is a firewall between the virt-v2v conversion server and the
442 vCenter server, then you will need to open port 443 (https) and port
443 5480.
444 Port 443 is used to copy the guest disk image(s). Port 5480 is used to
446 query vCenter for guest metadata.
447 These port numbers are only the defaults. It is possible to
449 reconfigure vCenter to use other port numbers. In that case you would
450 need to specify those ports in the "vpx://" URI. See "vCenter: URI"
451 above.
452 These ports only apply to virt-v2v conversions. You may have to open
454 other ports for other vCenter functionality, for example the web user
455 interface. VMware documents the required ports for vCenter in their
456 online documentation.
457 ┌────────────┐ port 443 ┌────────────┐ ┌────────────┐
459 │ virt-v2v │────────────▶ vCenter │────────▶ ESXi │
460 │ conversion │────────────▶ server │ │ hypervisor │
461 │ server │ port 5480 │ │ │ ┌─────┐ │
462 └────────────┘ └────────────┘ │ │guest│ │
463 └───┴─────┴──┘
464 (In the diagram above the arrows show the direction in which the TCP
466 connection is initiated, not necessarily the direction of data
467 transfer.)
468 Virt-v2v itself does not connect directly to the ESXi hypervisor
470 containing the guest. However vCenter connects to the hypervisor and
471 forwards the information, so if you have a firewall between vCenter and
472 its hypervisors you may need to open additional ports (consult VMware
473 documentation).
474 The proxy environment variables ("https_proxy", "all_proxy",
476 "no_proxy", "HTTPS_PROXY", "ALL_PROXY" and "NO_PROXY") are ignored when
477 doing vCenter conversions.
478 vCenter: SSL/TLS certificate problems
480 You may see this error:
481 CURL: Error opening file: SSL: no alternative certificate subject
483 name matches target host name
484 (You may need to enable debugging with ‘virt-v2v -v -x’ to see this
486 message).
487 This can be caused by using an IP address instead of the fully-
489 qualified DNS domain name of the vCenter server, ie. use
490 "vpx://vcenter.example.com/..." instead of "vpx://11.22.33.44/..."
491 Another certificate problem can be caused by the vCenter server having
493 a mismatching FQDN and IP address, for example if the server acquired a
494 new IP address from DHCP. To fix this you need to change your DHCP
495 server or network configuration so that the vCenter server always gets
496 a stable IP address. After that log in to the vCenter server’s admin
497 console at "https://vcenter:5480/". Under the "Admin" tab, select
498 "Certificate regeneration enabled" and then reboot it.
499
501 virt-v2v(1).
502
504 Richard W.M. Jones
505
507 Copyright (C) 2009-2020 Red Hat Inc.
508
510 This program is free software; you can redistribute it and/or modify it
511 under the terms of the GNU General Public License as published by the
512 Free Software Foundation; either version 2 of the License, or (at your
513 option) any later version.
514 This program is distributed in the hope that it will be useful, but
516 WITHOUT ANY WARRANTY; without even the implied warranty of
517 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
518 General Public License for more details.
519 You should have received a copy of the GNU General Public License along
521 with this program; if not, write to the Free Software Foundation, Inc.,
522 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
523
525 To get a list of bugs against libguestfs, use this link:
526 https://bugzilla.redhat.com/buglist.cgi?component=libguestfs&product=Virtualization+Tools
527 To report a new bug against libguestfs, use this link:
529 https://bugzilla.redhat.com/enter_bug.cgi?component=libguestfs&product=Virtualization+Tools
530 When reporting a bug, please supply:
532 · The version of libguestfs.
534 · Where you got libguestfs (eg. which Linux distro, compiled from
536 source, etc)
537 · Describe the bug accurately and give a way to reproduce it.
539 · Run libguestfs-test-tool(1) and paste the complete, unedited output
541 into the bug report.
542virt-v2v-1.43.1 2020-06-19 virt-v2v-input-vmware(1)