Enable Console Access to vSphere instances in OpenStack

vSphere Instance Console

Instance consoles are not working by default and require configuration in both, ESXi hosts and Nova Compute / Nova API nodes.

1. Nova API and Nova Compute nodes (usually the same node when using OpenStack and vSphere as compute) have the following in  /etc/nova/nova.conf (this assumes its IP is


Restart the services:

$ sudo restart nova-compute
$ sudo restart nova-api
$ sudo restart nova-console
$ sudo restart nova-consoleauth
$ sudo restart nova-novncproxy

2. ESXi setup.

ssh the ESXi host and check what ports the launched instances are listening on, these ports are where the embedded VNC listens on:

~ # esxcli network ip connection list|grep vmx
tcp         0       0   ESTABLISHED    434739  vmx-mks:92901823-a03c-4cdd-bbb6-616a8742388a
tcp         0       0           LISTEN         434735  vmx
tcp         0       0           LISTEN         250526  vmx
tcp         0       0           LISTEN          11204  vmx

This can be confirmed by checking the .vmx file for the instances (this is set up by VMwareVCDriver):

~ # grep vnc.port /vmfs/volumes/datastore1/*/*vmx
/vmfs/volumes/datastore1/52c84203-ce3d-47b4-ab22-1d30b2816298/52c84203-ce3d-47b4-ab22-1d30b2816298.vmx:RemoteDisplay.vnc.port = "6102"
/vmfs/volumes/datastore1/92901823-a03c-4cdd-bbb6-616a8742388a/92901823-a03c-4cdd-bbb6-616a8742388a.vmx:RemoteDisplay.vnc.port = "6111"
/vmfs/volumes/datastore1/c4e7264e-a4f7-4dea-87c2-6561b86fb85d/c4e7264e-a4f7-4dea-87c2-6561b86fb85d.vmx:RemoteDisplay.vnc.port = "6101"

In general, you will notice these two config flags in the .vmx files:

RemoteDisplay.vnc.enabled = TRUE
RemoteDisplay.vnc.port = port_number

Now you need to open these ports:

~ # chmod 644 /etc/vmware/firewall/service.xml
~ # chmod +t /etc/vmware/firewall/service.xml
~ # vi /etc/vmware/firewall/service.xml

And append this:

<service id='0033'>
<rule id='0000'>

Close vi with:


Refresh the firewall rules:

~ # esxcli network firewall refresh
~ # esxcli network firewall ruleset set --ruleset-id VNC --enabled true


Note: there are multiple ways to keep the firewall configuration after ESXi reboots, please review them and chose one of them to make this change permanent.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s