VMSA-2015-0007 Report

On October 1st 2015 VMware published Security Advisory VMSA-2015-0007. In that advisory you will find three vulnerabilities: CVE-2015-5177, CVE-2015-2342 and CVE-2015-1047.

VMSA-2015-0007

To anticipate the questions you will surely get from your local Security Officer, I created a function to report which vSphere Servers in your environment are impacted, and which action to take.

Update October 5th 2015:

  • Updated build numbers in $vmsaTab
  • Corrected build number testing (thanks Richard)

Continue reading VMSA-2015-0007 Report

Answer the question!

An automation scripts that prompts you is a letdown, to say the least.

cdlock

A typical example of such an event is the question you get when you try to unmount a CD or DVD drive from a VM. Some Linux guest OS will place a lock on the CD or DVD, and vSphere will ask you if you want to bypass this lock. And your script just hangs there, waiting for you to reply 🙁

I have been looking for some time to come up with a solution for this automation “issue”. And finally I came up with a working solution 🙂
Continue reading Answer the question!

DRSRule – a DRS rules and groups module

One of the nice vSphere features is the ability to define DRS rules.

DRSRule-introThe feature allows a vSphere administrator to control the placement of virtual machines in a vSphere cluster. There are the VM to VM affinity and anti-affinity rules, and the newer VM to VMHost rules. With the VM to VMHost rules, vSphere introduced the concept of VM and VMHost groups, and the ability to have rules that are a requirement (‘shall’) or a preference (‘should’).

In a recent VMTN PowerCLI community thread a PowerCLI user had a query about exporting and importing DRS rules and groups. At that point Matt Boren and myself developed the idea to provide a PowerShell module. The PowerShell module, which we named DRSRule, provides all the functions we deemed useful for working with DRS rules and groups. And yes, the module includes an export and an import cmdlet !

Continue reading DRSRule – a DRS rules and groups module

PowerCLI and the Linux Shellshock vulnerability

With all the fuss going round about the latest Linux vulnerability you will probably get a request from your local Security Officer to produce a report which of your Linux systems are vulnerable to the Shellshock bug. And, seen there are already several known exploits, who can blame him for asking such a report.

shellshock-main

Since a lot of these Linux boxes are running under vSphere, we can use PowerCLI to produce such a report. The Invoke-VMScript cmdlet is the vehicle I use in the following function. With the Invoke-VMScript cmdlet it is very easy to execute, what is considered the best test to check for the vulnerability.

Update2 September 29 2014: the 2nd test from the Shellshocker gives a syntax error. The test is replaced by the one found on Michael Boelen‘s website in How to protect yourself against Shellshock Bash vulnerability. Big thanks to Wil van Antwerpen for the pointer.

Update1 September 29 2014: the function was updated to include tests for most of the known Shellshock vulnerabilities. The tests were collected from the Shellshocker site.
Continue reading PowerCLI and the Linux Shellshock vulnerability

Stats Toolbox – A vSphere Server Performance Counter tool

Finding out which performance counters are available on your vSphere server over which time interval, is not always an easy task. There is of course the Performance Manager entry in the VMware vSphere API Reference, but that is not always the easiest task. Let alone finding out what a specific counter actually represents.

For that reason I decided to create a tool, which I called the Stats Toolbox, that would query the vSphere server to get the actual list of counters it collects for each interval. In the tool I added some extra features that would make working with the performance counters easier.

Stats-ToolboxDuring our VMworld 2014 US breakout session I demonstrated the features of the Stats Toolbox, and I received quite some positive feedback.

Continue reading Stats Toolbox – A vSphere Server Performance Counter tool

Event-O-Matic

One of the questions, related to working with vSphere events and tasks, that often appear in the PowerCLI Community, is how do we know which events to select for a query.

To make that task a bit easier, I wrote the Event-O-Matic script. It’s a GUI that allows you to pick a number of events, and the script will generate the PowerShell code, and place it in the clipboard. The Event-O-Matic script was mentioned during our VMworld 2013 US session VSVC4944.

event-o-matic-3-2

Update September 7th 2013:

  • added at least PowerShell v3 test
  • added PowerCLI core pssnapin loaded test

Continue reading Event-O-Matic

HA VM failover tracking

Another interesting question in the PowerCLI Community today.
David wanted to know if it was possible to track which VMs had been failed over to another ESXi host by HA.
With the Get-VIEventPlus function from my Get the vMotion/svMotion history post it is easy to get that informatiom from the Tasks and Events that are kept in the vCenter database.

HA-failover

But which event to look for ?

Continue reading HA VM failover tracking

Remove old VM monitor dump files

When you need to move the content of one or more datastores, you sometimes stumble upon files that you didn’t know where there. One such type of files are dump files that are stored in a VM’s directory on the datastore.

The files I encountered were named like this:

  • vmware64-core*.gz
  • vmware-vmx-zdump.*

There isn’t a lot of information available on what exactly these files are used for, besides that they seem to be created when the VM Monitor encounters a crash or a serious problem.

Since these files were quite old, and since I didn’t have any open tickets with VMware, I decided to remove these files. But of course in the PowerCLI way with a function 😉

Continue reading Remove old VM monitor dump files

Get the vMotion/svMotion history

The availability of vMotion and svMotion, provided you have a license that allows it, in vSphere are some of its key features.

The DRS and SDRS functionality will use vMotion and svMotion to better use the available resources.

And you as a vSphere administrator can use it to facilitate your work. Just think of how easy patching or datastorecluster maintenance becomes with the help of these two features.
But as an administrator you want to be able to report on what vMotion and svMotion have been doing over a specific time interval in your vSphere environment.

In the past I already provided a vMotion reporting tool in Events – Part 8 – vMotion history, but now it was time to provide a universal (s)vMotion reporting feature.

motion-reports

Update October 29th 2013: added additional parameters to the Get-VIEventPlus function

  • User: one or more users for which to return the events
  • System: a switch to return all system user events
  • ScheduledTask: return all events for a specific Scheduled Task

Update February 10th 2014: it’s always nice to see another implementation based on one of your scripts. The Opvizor solution will soon contain this function, see Dennis Zimmer‘s post called Storage vMotion Activities Report ! Continue reading Get the vMotion/svMotion history

Alarm actions – enable – disable – report

Another post triggered by a question in the VMTN PowerCLI community. The user wanted to know how he could create a report that showed for which vSphere entities the alarm actions were disabled.

To set the stage, a short overview of what this is all about. In vSphere you can, since vSphere 4, disable and enable alarm actions for all the managed entities. This option is available from the vSphere client

alarm-action-old-client

and from the vSphere Web client.

alarm-action-web-client

But how to automate these actions, and more importantly in this case, how to report on the active settings ? Like always PowerCLI to the rescue.

Continue reading Alarm actions – enable – disable – report