guest operations

Quick Tip - Using PowerCLI to query VMware Tools Configuration at scale

10.11.2024 by William Lam // Leave a Comment

One of the most powerful and versatile VM management capability in vSphere is the Guest Operations API, providing a rich set of operations from transferring files to/from the guest to running commands directly on the guest as if you were logged in!

An easy way to consume the Guest Operations API is via PowerCLI and using the Invoke-VMScript cmdlet, which I have extensively written about, showcasing all the creative ways this can be used to solve various automation challenges.

I recently came across a Reddit thread where the OP wanted to check to query for a specific VMware Tools configuration as part of the vSphere Security Configuration Guide and was looking for some help as logging into each and every system did not seem like a good idea, which it is NOT! 🙂

Any time you have a use case where you need to scale a specific operation (reading or writing) a change, you should consider Guest Operations API, you can easily use a single API to perform this operation at scale!

[Read more...]

Quick Tip - Requirements for using Guest Operation APIs (Invoke-VMScript & Copy-VMGuestFile) in VMC

08.02.2018 by William Lam // 1 Comment

Since this question came up again today, I figure it was worth sharing in case others also had trouble using the vSphere Guest Operations API in VMware Cloud on AWS (VMC), which includes PowerCLI's Invoke-VMScript and Copy-VMGuestFile cmdlet. There are a couple of requirements that you must satisfy both in the GuestOS as well as between your on-prem vSphere environment and VMC.

VMware Tools installed and running, it may seem obvious, but I have had customers trying to use various scripts without realizing this was a requirement. You should also ensure that you are running the latest version of VMware Tools, especially as there bugfixes that may impact Guest Operations APIs.
VPN or Direct Connect (DX) configured between your on-prem vSphere environment and VMC, this is required as you will need access to ESXi hosts which is only available through a VPN or DX
Create a VMC firewall rule to allow access from your on-prem network to VMC's ESXi hosts on port 443 which is used for Guest Operations access including transferring files to and from the GuestOS

The VMC firewall rule is usually the thing that most folks forget about and this simply because for most on-prem environment, access to ESXi over 443 is just sort of a default.

Once you have configured the VMC firewall to allow 443 to ESXi hosts, you will be able to use the Guest Operations API including Invoke-VMScript and Copy-VMGuestFile to a VM running in VMC

Using vSphere Guest Operations API on macOS Guests?

07.05.2017 by William Lam // 2 Comments

I have written a number of articles exploring the usage and some of the cool tricks that the vSphere Guest Operations (GuestOps) feature provides which you can be found here, here, here and here. I have been a huge fan and supporter of GuestOps since the early days where it was formally known as the VIX API. Having used GuestOps across many different GuestOS types including Nested ESXi, I have to admit, I had never tried it against an Apple macOS guests. I recently had a customer reach out who was looking to use the GuestOps API via PowerCLI (Invoke-VMScript) to automate updates against his guestOS templates that span across Windows, Linux and macOS (from 10.7 to latest). The customer was able to get all guestOSes working except for macOS.

Since I had never tried this before, I spun up my Apple Mac Mini which happen to have a macOS 10.11 (El Capitan) guests running. I tried using the vSphere API GuestOps directly to see if this was a PowerCLI and/or API issue. I too ran into issues and after enabling VMware Tools debugging on the guests (which you can find more details below), I found that it hit the following error:

[Jun 28 06:35:42.805] [ debug] [vix] >VixToolsImpersonateUser

[Jun 28 06:35:42.925] [ warning] [vmsvc] Failed to set gid for user root

Reaching out to Engineering regarding the problem, I came to learn that this particular issue was due to a syscall change made by Apple starting with macOS 10.10.3 and newer. Although the change was a positive thing from a security standpoint, it did break the GuestOps functionality. The good news was that this was already resolved with VMware Tools 10.1 or later. When I had initially provisioned the macOS guests, the latest VMware Tools at the time was 9.10.5. After I applied the latest version which is currently 10.1.7, the issue went away and I was able to successfully use the GuestOps API on my macOS guests.

Below are examples of running the system_profiler SPSoftwareDataType command using both the Invoke-VMScript cmdlet as well as the vSphere API and PowerCLI to consume the GuestOps APIs. Both approaches delivers the exact same outcome, the one benefit of using Invoke-VMScript is that if you want to easily return output from a given command, the cmdlet already does the heavy lifting. If you notice in the native vSphere API case, you do not get output but rather just the PID ID. If you want to return the output, you need to first save it into a file and then download the file to your client system, which may not be ideal for interactive usage but it all depends on your use case.

[Read more...]