Open the Required Ports on ESXi Hosts
ESXi hosts communicate with the virtual container hosts (VCHs) through port 2377 via Serial Over LAN. For the deployment of a VCH to succeed, port 2377 must be open for outgoing connections on all ESXi hosts before you run
vic-machine create to deploy a VCH. Opening port 2377 for outgoing connections on ESXi hosts opens port 2377 for inbound connections on the VCHs.
vic-machine utility includes an
update firewall command, that you can use to modify the firewall on a standalone ESXi host or all of the ESXi hosts in a cluster.
You use the
--deny flags to enable and disable a firewall rule named
vSPC. When enabled, the
vSPC rule allows all outbound TCP traffic from the target host or hosts. If you disable the rule, you must configure the firewall via another method to allow outbound connections on port 2377 over TCP. If you do not enable the rule or configure the firewall, vSphere Integrated Containers Engine does not function, and you cannot deploy VCHs.
vic-machine create command does not modify the firewall. Run
vic-machine update firewall --allow before you run
- Deploy the vSphere Integrated Containers appliance. For information about deploying the appliance, see Deploy the vSphere Integrated Containers Appliance.
- Download the vSphere Integrated Containers Engine bundle,
vic_1.1.0-version.tar.gz, from https://vic_appliance_address:9443 and unpack it on your working machine. If you configured the appliance to use a different port for the file server, replace 9443 with the appropriate port.
- Open a terminal on the system on which you downloaded and unpacked the vSphere Integrated Containers Engine binary bundle.
- Navigate to the directory that contains the
vic-machine update firewallcommand.
To open the appropriate ports on all of the hosts in a vCenter Server cluster, run the following command:
$ vic-machine-operating_system update firewall --target vcenter_server_address --user "Administrator@vsphere.local" --password vcenter_server_password --compute-resource cluster_name --thumbprint thumbprint --allow
To open the appropriate ports on an ESXi host that is not managed by vCenter Server, run the following command:
$ vic-machine-operating_system update firewall --target esxi_host_address --user root --password esxi_host_password --thumbprint thumbprint --allow
vic-machine update firewall command in these examples specifies the following information:
- The address of the vCenter Server instance and datacenter, or the ESXi host, on which to deploy the VCH in the
- The user name and password for the vCenter Server instance or ESXi host in the
- In the case of a vCenter Server cluster, the name of the cluster in the
The thumbprint of the vCenter Server or ESXi host certificate in the
--thumbprintoption, if they use untrusted, self-signed certificates.
NOTE: Use upper-case letters and colon delimitation in the thumbprint. Do not use space delimitation.
--allowoption to open the port.