May 29, 2009

Instantly Serve an ESX Directory via HTTP


python -m SimpleHTTPServer 9090

Before you type that in, understand that it's not going to work unless you've made some ill-advised changes to the Service Console firewall. Also, make sure you fully grasp the security risk you're about to take. This command will start up a simple web server on TCP port 9090 in the current working directory, allowing anyone to browse the files and subdirectories from a web browser under the security context of the user that executed the command. In other words, if you execute this as the root user, in the root directory, any file in the Service Console can be downloaded from a web browser.

This one-liner is extremely dangerous, but it is also extremely handy, and if used correctly in a properly designed environment, the potential risks can be managed. I use this all the time in my test lab to get output files from scripts by simply cd'ing to the script directory, running the above command, and pointing a web browser to http://IP_OF_ESX:9090 from the vCenter server.

How to make it safer:
  • The ESX Service Console network should be completely isolated from the LAN, and only vCenter servers and specific administrative workstations are allowed access

  • The Python command should be executed while the working directory is a folder created just for this purpose, and only contains the specific files you want to share and no subdirectories

  • The command should only be executed by a non-root user and the web server torn down as soon as the files have been downloaded by issuing a Ctrl-C

  • The root user must open a specific port in the firewall prior to using the command; for example, to open TCP port 9090:

    esxcfg-firewall --openPort 9090,tcp,in,SimpleHTTP

  • The port should then be closed immediately after the needed files have been downloaded; for example, to close down the previous command:

    esxcfg-firewall --closePort 9090,tcp,in


This also works in ESX 3.5, but the version of Python in the Service Console lacks the -m option, so the path to SimpleHTTPServer.py must be specified:

# ESX 3.5
python /usr/lib/python2.2/SimpleHTTPServer.py 9090


Might be too dangerous for production, so consider the risks carefully. But for testing, it can be really handy.

1 comment: