This KB provides guidance on safe importing of virtual machines (VMs) and explains why .vmdk files should not be imported without any sanitization.
Virtual machines are made from configuration files and content files. The .vmx and .vmdk files of a virtual machine hold its configuration and define the virtual machine's runtime container. They contain privileged information that is not part of what is inside this container.
Virtual machine configuration files should be carefully handled when imported into ESX/ESXi. In an environment that allows less privileged or untrusted users to import virtual machines, user-provided virtual machine configuration files such as .vmx and .vmdkfiles must be sanitized.
VMware recommends that virtual machines are imported using the Open Virtualization Format (OVF). The OVF specification describes an open, secure, portable, efficient and extensible format for the packaging and distribution of software to be run in virtual machines. During the import while the VMware specific configuration files are created, sanitization of the configuration files occurs.
Below are answers to frequently asked questions on OVF files.
Q. Is it possible to import VMDKs directly?
A. While it is possible to import a VMDK file directly this is strongly discouraged outside of controlled environments. Less privileged or untrusted users should not be allowed access to hypervisor storage. The VMware recommended method of importing VMDK files is an OVF import that verifies the VMDK. VMware Cloud Director, for example, only allows VMs to be imported as OVFs. vCenter Server allows both OVF files and VMDK file to be imported.
Q. What is the difference between OVF and VMDK?
A. An OVF file generically describes both a virtual machine and its disks, while a VMDK descriptor file only describes the files/devices of a virtual disk. OVF files can refer to VMDK disk images but not to VMDK descriptors. This is further explained here.
Q. Where can I find more information on VMDK file integrity?
A. See KB 1003743: Verifying ESX/ESXi virtual machine file integrity and KB 1002511: Recreating a missing virtual machine disk(VMDK) descriptor file.