Installing ascp on ESXi 5



Normally an ESX server is accessed through the VMware GUI in order to manipulate the various VMs, and the ESX server's own OS is considered something of a "black box." In fact, the ESX OS is simply a specialized Linux, to which you may login and issue ordinary Linux commands. Accordingly, is possible to install Aspera on ESX and use it to transfer files. The use case which prompted this KB article involved copying VMs between ESXi5 servers in California and India.

Each release of ESX OS has been a different level of "black box"; some have been rather difficult Aspera installations. Fortunately, the current release, ESXi 5, is fairly easy. 



1. install ascp

2. edit the firewall rules

3. test

4. make the firewall rule change persistent

Install ascp

The idea is to install a bare ascp binary, without any of the normal package trappings. We must also install a license file and a stub aspera.conf

1. Upload the ascp binary to /usr/lib/vmware/openssh/bin.
2. Create a symbolic link /bin/ascp that points to /usr/lib/vmware/openssh/bin/ascp:

ln -s /usr/lib/vmware/openssh/bin/ascp /bin/ascp

3. Upload the license file and call it /usr/lib/vmware/openssh/etc/aspera-license. You may first have to create the directory /usr/lib/vmware/openssh/etc.

4. Create a stub /usr/lib/vmware/openssh/etc/aspera.conf file. At minimum the stub file must say:

<?xml version='1.0' encoding='UTF-8'?>
<CONF version="2">

5. run ascp -A to verify that ascp recognizes the license file.

6. Repeat for the destination ESX server.

Edit the ESX firewall rules

The ESXi5 server comes with a built-in firewall. Although we can enable/disable existing rules from the VMware GUI, it is not possible to use to the GUI to add new rules. So we must add an Aspera rule manually by editing the XML file containing the firewall rules.

1. Create a backup of the existing firewall ruleset:

cd /etc/vmware/firewall
cp -p service.xml service.xml.orig

2. Edit using vi:

vi service.xml

3. Be careful! Double-check your work.

4. Add a new stanza at the bottom as follows. For the service ID number, use the next number in sequence. In this example, there were 32 other service stanzas in the service.xml file, so I made the Aspera stanza #33. The outbound UDP will use a random port chosen by the kernel, so a port range is required. 

<service id="0033">
<rule id='0000'>
<rule id='0001'>

5. Enable the new Aspera rule:

esxcli network firewall refresh

6. Verify that the new Aspera service has been added to the firewall ruleset. You should see Aspera  true at the bottom.

esxcli network firewall ruleset list

7. Repeat for the destination ESX server


1. Test ascp between the two ESX servers.

2. Warning! Do not copy VM images unless they are powered off.

Make the firewall change persistent

The changes we made to service.xml do not persist across reboots of the ESX server. We must copy the service.xml file to persistent storage, then edit an init script to restore the service.xml file upon reboot.

1. Copy the newly defined xml file onto persistent storage (such as /store/) or onto a vmfs volume (/vmfs/volumes/<volume>/):

cp -p /etc/vmware/firewall/service.xml /location/of/persistent/storage

2. Make a copy of /etc/rc.local file (for ESXi 5.0) or /etc/profile.local file (for ESXi 5.1):

cd /etc
cp -p rc.local rc.local.orig
cp -p profile.local profile.local.orig 

3. Add these lines to the /etc/rc.local file (for ESXi 5.0) or /etc/profile.local file (for ESXi 5.1):

cp -p /location/of/persistent/storage/service.xml /etc/vmware/firewall
esxcli network firewall refresh

4. Note: Changes to the contents of the rc.local file are not migrated across ESXi version upgrades. Revert these changes prior to an upgrade, then perform these steps after the upgrade.



Here are some VMware KB articles for further reference:

1. Creating custom firewall rules in VMware ESXi 5.0

2. User defined xml firewall configurations are not persistent across ESXi host reboots

3. Changing the port used by SSH on an ESXi 5.0 host

Powered by Zendesk