The orchestration of VMware ESXi hosts using Ansible typically centers around the vCenter Server, which acts as the primary API gateway and management plane for the virtualization layer. However, a significant portion of the technical community, particularly those operating home labs, learning environments, or small-scale edge deployments, requires the ability to manage ESXi hosts in a standalone capacity. The transition from vCenter-managed environments to standalone management introduces critical technical hurdles, primarily revolving around API access, licensing restrictions, and the evolution of Ansible collections. Understanding the nuances of managing ESXi without vCenter requires a deep dive into the interaction between the community.vmware collection, the PyVmomi library, and the inherent restrictions placed on the ESXi Free Hypervisor license.
The Technical Architecture of Ansible and VMware Communication
To understand why managing standalone ESXi hosts is complex, one must first examine the underlying communication stack. Ansible does not communicate with ESXi hosts via a proprietary protocol; instead, it leverages the community.vmware collection, which is built upon PyVmomi. PyVmomi is the Python SDK for the VMware vSphere API.
The vSphere API is the foundational layer that allows for the programmatic creation, modification, and deletion of virtual machines and host configurations. In a standard enterprise deployment, vCenter Server acts as the centralized API endpoint. When an Ansible module like community.vmware.vmware_host_config_manager is executed, it typically targets the vCenter API, which then proxies the command to the specific ESXi host.
When attempting to bypass vCenter, the Ansible module must target the ESXi host's API directly. While the ESXi host does possess its own API server, it is significantly more limited than the one provided by vCenter. This architectural distinction is the root cause of many "Failed to create virtual machine" errors and the inability to perform certain "write" operations. For the user, this means that while read-only operations or basic configurations might work, advanced orchestration often hits a wall unless the specific module is designed for standalone interaction.
Limitations of Standalone ESXi Management and Licensing
A critical conflict arises when utilizing the ESXi Free Hypervisor license. VMware intentionally restricts the API capabilities of the free license to encourage the adoption of paid licenses and vCenter management.
The Deprecation of vsphereguest and the Shift to vmwareguest
Historically, the vsphere_guest module provided a pathway for users to create and manage guest VMs on standalone ESXi servers using the free hypervisor license. This was a vital tool for home lab enthusiasts. However, the industry has shifted toward the vmware_guest module.
The transition from vsphere_guest to vmware_guest is not a simple renaming; it represents a change in how the API is interfaced. Users attempting to migrate playbooks from the deprecated vsphere_guest to vmware_guest have reported catastrophic failures. Specifically, the error message Failed to create virtual machine due to product versioning restrictions: Current license or ESXi version prohibits execution of the requested operation indicates that the vmware_guest module relies on API calls that are strictly forbidden on standalone hosts with free licenses.
The impact of this change is profound: it effectively removes the ability to perform "write" operations (such as creating a new VM) via Ansible on standalone free-licensed hosts. This forces the administrator to either upgrade their license or rely on manual interventions.
The Cloning Gap in Standalone Environments
One of the most significant technical voids in standalone ESXi management is the inability to duplicate or clone virtual machines. In a vCenter-managed environment, cloning is a native API operation. In a standalone environment, the clone operation is unavailable via the standard community.vmware.vmware_guest module.
To circumvent this, a specific functional requirement has been identified for a community.vmware.vmware_guest_copy operation. Because the API does not support cloning without vCenter, a manual "file-system level" approach is required. This involves:
- Ensuring the source VM is completely powered off to avoid file locks.
- Copying the VM folder from the source to a new destination folder on the same datastore.
- Renaming the .vmx configuration file to match the new VM name.
- Registering the renamed .vmx file into the ESXi inventory.
This sequence demonstrates that while the high-level API fails, the underlying datastore remains accessible, allowing for a workaround that simulates cloning through file manipulation and registration.
Managing Advanced Host Settings Without vCenter
The challenge of modifying advanced settings on standalone hosts is a common pain point. Users often attempt to use the community.vmware.vmware_host_config_manager module to change settings such as Config.HostAgent.log.level or Annotations.WelcomeMessage.
The technical reality is that many of these modules are designed with the expectation of a vCenter hostname. Even when an esxi_hostname is provided, the module may still look for vCenter's API server to authenticate the request. This creates a paradoxical situation where the user wants to configure the host before adding it to vCenter, but the tools designed for configuration require vCenter to function.
Alternative Configuration Pathways
When the VMware API is restricted by licensing or the absence of vCenter, administrators must pivot to alternative management methods:
- SSH and Console Commands: If the ESXi Shell and SSH services are enabled, it is possible to make changes using the command line. However, this requires the host to have Python installed if Ansible is to be used as the orchestrator. Standard ESXi installations do not provide a full Python environment suitable for traditional Ansible
sshmodules, which usually expect a Linux-like environment. - Direct API Calls: Using specialized scripts that interact with the ESXi host's local API, bypassing the higher-level Ansible abstractions that assume a vCenter presence.
Single Touch and Zero Touch Provisioning (STZP)
While standalone management is restrictive, the "Single Touch" or "Zero Touch" provisioning model provides a comprehensive framework for getting a host from a powered-off state to a production-ready state. This process is divided into two distinct phases.
Phase 1: Bare Metal Installation
The goal of Single Touch provisioning is to eliminate human interaction during the OS installation. This is achieved through a custom-built ISO containing embedded Kickstart files.
The technical workflow involves:
- Creating a custom ESXi ISO.
- Using a web server (such as Nginx) to host the ISO files.
- Utilizing out-of-band management tools, such as HPE iLO or Dell iDRAC, to boot the server remotely.
For example, an Ansible playbook can use the hpilo_boot module to trigger the boot process:
yaml
- name: Booting once using the custom built iso . . .
hpilo_boot:
host: "{{ ilo_ip }}"
login: admin
password: "{{ ilo_password }}"
media: cdrom
image: http://#.#.#.#/isos/{{ esxi_hostname }}.iso
delegate_to: localhost
In this workflow, the shell module is often used to move the generated ISO to the web server directory:
shell
mv /opt/baremetal/{{ esxi_hostname }}.iso /usr/share/nginx/html/isos/
Phase 2: Host Configuration and vCenter Integration
Once the host is installed and boots into the OS, it is in a "raw" state. The second phase of automation focuses on bringing the host into the management plane. While the initial install is "standalone," the subsequent configuration typically leverages vCenter to unlock full functionality.
The standard configuration sequence includes:
- Adding the host to a specified vCenter Cluster.
- Applying the official license key to remove the "free" restrictions.
- Configuring networking by adding vmnic1 to Standard vSwitch0.
- Modifying advanced settings and configuring the Syslog Loghost.
- Restarting the syslog service to commit changes.
- Setting the Power Management profile to "High Performance".
- Creating a vmkernel port group and assigning an IP address for vMotion.
- Configuring NTP and ensuring the service starts at boot.
- Integrating vmnic2 and vmnic3 into a vSphere Distributed Switch (vDS).
- Ensuring security compliance by disabling the ESXi Shell and SSH services.
- Removing the host from Maintenance Mode.
Comparison of Standalone vs. vCenter-Managed Automation
The following table outlines the functional differences when using Ansible for ESXi management based on the presence of vCenter and license types.
| Feature | Standalone (Free License) | Standalone (Paid License) | vCenter Managed |
|---|---|---|---|
| VM Creation | Extremely Limited/Failing | Possible via API | Fully Supported |
| VM Cloning | Not Supported (Manual Only) | Limited | Fully Supported |
| Advanced Settings | Restricted API | Supported | Fully Supported |
| vMotion Config | Not Applicable | Supported | Fully Supported |
| Distributed Switch | Not Supported | Not Supported | Fully Supported |
| Provisioning | Manual/Kickstart | Manual/Kickstart | Single Touch/Zero Touch |
Technical Analysis of the "State" Concept in VMware Modules
In Ansible, the state parameter is used to define the desired end-state of a resource. When using the vmware_host module, state: present implies that the host should exist within the vCenter inventory.
The operational impact of this is that the module does not simply check if the server is powered on; it verifies if the vCenter API recognizes the host as a managed entity. If the host is standalone, the state: present logic fails because there is no vCenter database to reference. This reinforces the necessity of the two-stage provisioning process: first, the host must be installed via bare-metal automation, and second, it must be registered to vCenter to enable the high-level community.vmware modules to operate effectively.
Conclusion: The Viability of Standalone Automation
The pursuit of total automation for ESXi without vCenter reveals a stark divide between installation and management. Installation can be fully automated through "Single Touch" methods using custom ISOs and iLO/iDRAC integration, effectively achieving a zero-touch deployment of the hypervisor itself. However, post-installation management—specifically the creation and cloning of VMs—is severely hampered by VMware's licensing and API architecture.
The deprecation of vsphere_guest in favor of vmware_guest has further marginalized the ability to manage free-licensed standalone hosts. For the administrator, this means that the "standalone" experience is primarily a stepping stone to vCenter integration. While manual workarounds at the datastore level (copying .vmx files) can simulate cloning, they lack the robustness and idempotency of native Ansible modules. Ultimately, for any environment requiring scalable, write-capable automation, the transition to a vCenter-managed architecture is not merely a recommendation but a technical requirement imposed by the VMware API structure.
Sources
- Ansible Forum: Change advanced settings for standalone esxi hosts
- Ansible Forum: Ansible ending support for vSphere ESXi free hypervisor
- GitHub: community.vmware/vmwareguestcopy issue
- Thinking Out Cloud: Single Touch ESXi Provisioning with Ansible
- LinkedIn: Saleh Miri - Automated ESXi Installation on Bare-Metal Servers