On October 1st 2015 VMware published Security Advisory VMSA-2015-0007. In that advisory you will find three vulnerabilities: CVE-2015-5177, CVE-2015-2342 and CVE-2015-1047.
To anticipate the questions you will surely get from your local Security Officer, I created a function to report which vSphere Servers in your environment are impacted, and which action to take.
Update October 5th 2015:
An automation scripts that prompts you is a letdown, to say the least.
A typical example of such an event is the question you get when you try to unmount a CD or DVD drive from a VM. Some Linux guest OS will place a lock on the CD or DVD, and vSphere will ask you if you want to bypass this lock. And your script just hangs there, waiting for you to reply 🙁
I have been looking for some time to come up with a solution for this automation “issue”. And finally I came up with a working solution 🙂
Continue reading Answer the question!
One of the nice vSphere features is the ability to define DRS rules.
The feature allows a vSphere administrator to control the placement of virtual machines in a vSphere cluster. There are the VM to VM affinity and anti-affinity rules, and the newer VM to VMHost rules. With the VM to VMHost rules, vSphere introduced the concept of VM and VMHost groups, and the ability to have rules that are a requirement (‘shall’) or a preference (‘should’).
In a recent VMTN PowerCLI community thread a PowerCLI user had a query about exporting and importing DRS rules and groups. At that point Matt Boren and myself developed the idea to provide a PowerShell module. The PowerShell module, which we named DRSRule, provides all the functions we deemed useful for working with DRS rules and groups. And yes, the module includes an export and an import cmdlet !
With all the fuss going round about the latest Linux vulnerability you will probably get a request from your local Security Officer to produce a report which of your Linux systems are vulnerable to the Shellshock bug. And, seen there are already several known exploits, who can blame him for asking such a report.
Since a lot of these Linux boxes are running under vSphere, we can use PowerCLI to produce such a report. The Invoke-VMScript cmdlet is the vehicle I use in the following function. With the Invoke-VMScript cmdlet it is very easy to execute, what is considered the best test to check for the vulnerability.
Update2 September 29 2014: the 2nd test from the Shellshocker gives a syntax error. The test is replaced by the one found on Michael Boelen‘s website in How to protect yourself against Shellshock Bash vulnerability. Big thanks to Wil van Antwerpen for the pointer.
Update1 September 29 2014: the function was updated to include tests for most of the known Shellshock vulnerabilities. The tests were collected from the Shellshocker site.
Continue reading PowerCLI and the Linux Shellshock vulnerability
Finding out which performance counters are available on your vSphere server over which time interval, is not always an easy task. There is of course the Performance Manager entry in the VMware vSphere API Reference, but that is not always the easiest task. Let alone finding out what a specific counter actually represents.
For that reason I decided to create a tool, which I called the Stats Toolbox, that would query the vSphere server to get the actual list of counters it collects for each interval. In the tool I added some extra features that would make working with the performance counters easier.
During our VMworld 2014 US breakout session I demonstrated the features of the Stats Toolbox, and I received quite some positive feedback.
Continue reading Stats Toolbox – A vSphere Server Performance Counter tool
One of the questions, related to working with vSphere events and tasks, that often appear in the PowerCLI Community, is how do we know which events to select for a query.
To make that task a bit easier, I wrote the Event-O-Matic script. It’s a GUI that allows you to pick a number of events, and the script will generate the PowerShell code, and place it in the clipboard. The Event-O-Matic script was mentioned during our VMworld 2013 US session VSVC4944.
Update November 9th 2022:
Update September 7th 2013:
Another interesting question in the PowerCLI Community today.
David wanted to know if it was possible to track which VMs had been failed over to another ESXi host by HA.
With the Get-VIEventPlus function from my Get the vMotion/svMotion history post it is easy to get that informatiom from the Tasks and Events that are kept in the vCenter database.
But which event to look for ?
When you need to move the content of one or more datastores, you sometimes stumble upon files that you didn’t know where there. One such type of files are dump files that are stored in a VM’s directory on the datastore.
The files I encountered were named like this:
There isn’t a lot of information available on what exactly these files are used for, besides that they seem to be created when the VM Monitor encounters a crash or a serious problem.
Since these files were quite old, and since I didn’t have any open tickets with VMware, I decided to remove these files. But of course in the PowerCLI way with a function 😉
The availability of vMotion and svMotion, provided you have a license that allows it, in vSphere are some of its key features.
The DRS and SDRS functionality will use vMotion and svMotion to better use the available resources.
And you as a vSphere administrator can use it to facilitate your work. Just think of how easy patching or datastorecluster maintenance becomes with the help of these two features.
But as an administrator you want to be able to report on what vMotion and svMotion have been doing over a specific time interval in your vSphere environment.
In the past I already provided a vMotion reporting tool in Events – Part 8 – vMotion history, but now it was time to provide a universal (s)vMotion reporting feature.
Update October 29th 2013: added additional parameters to the Get-VIEventPlus function
Update February 10th 2014: it’s always nice to see another implementation based on one of your scripts. The Opvizor solution will soon contain this function, see Dennis Zimmer‘s post called Storage vMotion Activities Report ! Continue reading Get the vMotion/svMotion history
Another post triggered by a question in the VMTN PowerCLI community. The user wanted to know how he could create a report that showed for which vSphere entities the alarm actions were disabled.
To set the stage, a short overview of what this is all about. In vSphere you can, since vSphere 4, disable and enable alarm actions for all the managed entities. This option is available from the vSphere client
and from the vSphere Web client.
But how to automate these actions, and more importantly in this case, how to report on the active settings ? Like always PowerCLI to the rescue.
