dissect.vmfs.vmfs¶
Module Contents¶
Classes¶
VMFS filesystem implementation. |
- class dissect.vmfs.vmfs.VMFS(volume: BinaryIO | None = None, vh: BinaryIO | None = None, fdc: BinaryIO | None = None, fbb: BinaryIO | None = None, sbc: BinaryIO | None = None, pbc: BinaryIO | None = None, pb2: BinaryIO | None = None, jbc: BinaryIO | None = None)¶
VMFS filesystem implementation.
The VMFS filesystem is a complex clustered filesystem used by VMware ESXi. This implementation aims to provide a read-only interface for reading VMFS filesystems, supporting VMFS5 and VMFS6. Locks and such are not implemented, so feel free to read any file to your heart’s content.
Within ESXi, the VMFS filesystem is tightly coupled with the VMFS LVM (Logical Volume Manager). You can have a raw LVM if you want, but VMFS must be placed on an LVM volume. The LVM is responsible for managing the physical storage across one or more physical disks (devices), while the VMFS filesystem is responsible for managing the files and directories. Both are multi-host aware, meaning that multiple ESXi hosts can access and claim locks on individual parts of both the LVM and the filesystem.
Within our implementation, we decouple the LVM and VMFS filesystem. The LVM implementation behaves like any other volume manager, providing raw volume access to any underlying storage. The VMFS filesystem implementation can be used on any file-like object that contains a VMFS filesystem, not technically requiring it to be a volume managed by the LVM. However, in practice, you will most often use the LVM implementation to access the VMFS filesystem. Unless you imaged a VMFS filesystem directly from
/dev/lvm, for some reason 🤷♂️.This implementation can be initialized with a file-like object of a VMFS volume, or from individual system files. When initialized from a volume, a VMFS
LVMvolume must already have been loaded. When initialized from individual system files, you can inspect most of the filesystem (including browing most directories), but you won’t be able to access most file data directly.Note
A lot of the math consists of bitwise shifts and masks, which translate to modulo or multiplication operations. For the sake of “maintainability” in relation to the original “code”, we keep this as bitwise masks, at the sacrifice of some human readability. Comments explaining as such are placed where appropriate.
- Parameters:
volume – A file-like object of a VMFS volume.
vh – An optional file-like object of the VMFS volume header file system file (
.vh.sf).fdc – An optional file-like object of the file descriptor cluster system file (
.fdc.sf).fbb – An optional file-like object of the file block system file (
.fbb.sf).sbc – An optional file-like object of the sub-block cluster system file (
.sbc.sf).pbc – An optional file-like object of the pointer block cluster system file (
.pbc.sf).pb2 – An optional file-like object of the pointer block 2 system file (
.pb2.sf).jbc – An optional file-like object of the journal block cluster system file (
.jbc.sf).
- fh = None¶
- descriptor¶
- md_alignment¶
- file_block_size¶
- sub_block_size¶
- major_version¶
- minor_version¶
- uuid¶
- label¶
- resources¶
- file_descriptor¶
- root¶
- property is_vmfs5: bool¶
Whether this is a VMFS5 filesystem.
- property is_vmfs6: bool¶
Whether this is a VMFS6 filesystem.
- property is_local: bool¶
Whether this is a “local” VMFS filesystem (VMFS-L).
- get(path: str | int | dissect.vmfs.descriptor.DirEntry, node: dissect.vmfs.descriptor.FileDescriptor | None = None) dissect.vmfs.descriptor.FileDescriptor¶