8 Replies Latest reply on Feb 2, 2010 8:15 AM by Umar Shaikh

    Compliance with VMs

      Hi there,


      how is it possible to make a compliance job with VMs? I don't see a way to target them in the job.

        • 1. Re: Compliance with VMs

          I am presuming that you are going through the Virtual Center for this compliance right?


          Which version are you using? 7.6 or 8.0?


          In 8.0, we support wild cards in compliance. So that is one way to do it.


          Otherwise, there is a special way to do it for VMware Virtual Machines. Via an NSH script which is bundled with the appserver.


          I'll just see if I have a documented usage of this anywhere.



          1 of 1 people found this helpful
          • 2. Re: Compliance with VMs

            We are using 7.6. If an Upgrade to 8.0 would make things easier, it would be an option for us.

            • 3. Re: Compliance with VMs

              Ok. That's alright. The same method applies to both 7.6 and 8.0.


              I have tried to summarize the method here. I hope its easy to follow:


              1. Create a component template, say vmware-template in a template group folder, say /vmware
              2. Add a local property to the component template, say VM_NAME
              3. Add  a VMware configuration property/category to the template
                1. For example, add /VMWare/Virtual Machines/<<vmname>>/Hardware/Memory/Virtual Machine Memory (MB)
                2. Replace the <<vmname> with the local property, VM_NAME so the path becomes /VMWare/Virtual Machines/??VM_NAME??/Hardware/Memory/Virtual Machine Memory (MB)
              4. Create a NSH Script in the Depot. The NSH script should be <Appserver install folder> -> scripts -> vmware_instances.nsh
              5. Run a nsh script job for this script. Target this job to either the Virtual Center server or the ESX server. (ESX server if on version 7.6) This job runs a script that:
                1. Is a type 2 [Execute the script once, passing the host list as a parameter to the script] script
                2. Takes the following parameters:
                    1. TEMPLATE_NAME – for example, vmware-template
                    2. TEMPLATE_GROUP – for example, /vmware
                    3. PROPERTY_NAME – for example, VM_NAME
                    4. HOSTS - %h, always the list of hosts passed to the script
                    5. APPSERVER – name of the appserver
                    6. –HOST – Leave this blank if you want to run compliance on all the VM’s in the vCenter, else if you want to run compliance on VM’s that belong to a certain Host, enter this parameter’s value as ‘–Host=hostname’
                      NOTE: For 7.6, if you are running this job on the ESX server, you can ignore this parameter. It is applicable only when you are running it against a Virtual Center server
              6. Once the job is complete, go back to the template, open the Local Properties tab, check the instances tab. If there are instances present, you are good to go ahead.
              7. Create a discovery rule for this part. Just a must-exists should be good enough.
              8. Run a discovery job for the template. Since the collected part paths are now qualified by the VM_NAME property, component instances for the template are created for each existing virtual machine on the Virtual Center server
              9. A package that can remediate non-compliant VMware property parts can be created
                1. Set this package up with a local property, for example, VM_NAME
                2. Replace the virtual machine name in the package element paths by this new local property, VM_NAME
              10. For the remediation of a compliance rule, map the VM_NAME property of the template to the VM_NAME property of the package. This will ensure that the virtual machine name for the VM being remediated is correctly passed to the package
              11. Compliance and remediation can then be run on these discovered components as usual.


              The same mechanism applies for ESX Host's in 7.6.


              Hope this helps.




              Message was edited by: Umar Shaikh

              • 4. Re: Compliance with VMs

                8.0 allows much better management of VMware through the vCenter via BladeLogic.


                There are new ways of creating VM's quite easily and repeatedly via BladeLogic now.


                And yeah, I hope I got your question correctly.



                1 of 1 people found this helpful
                • 5. Re: Compliance with VMs
                  Bill Robinson

                  So to run any compliance jobs against ESX (ESX or ESXi) we need to run this script?  and we need the VC agent installed?


                  we can no longer target the ESX (not ESXi) host directly?

                  • 6. Re: Compliance with VMs

                    The script is just an easy way of running compliance on all your Virtual Machines at once.


                    We can still run compliance just as we used to run it before. The script has been existing since the beginning


                    One example of an end to end use case which can be covered with this script is:

                    Run Compliance on all the VM's belonging to Host1 to check if they have at least 1 GB of RAM. If not, remediate them.


                    Regarding the ESX agent, in 8.0, we do not support the Virtualization Management features on the ESX agent anymore. If you want to run any compliance on the Virtualization features of the ESX agent, you would now have to go through the vCenter server.



                    • 7. Re: Compliance with VMs
                      Bill Robinson

                      Then I'm confused.  I want to run compliance against the ESX OS, eg - is the /etc/passwd file set w/ these permissions, is the /etc/shadow file owned by root - those types of things.  for those I would still use the esx agent and target the esx system directly?

                      • 8. Re: Compliance with VMs

                        Oh. Yes, ofcourse. It is only the 'ESX Host' node that is not present in 8.0. The other OS properties are all still supported very much.


                        So yes, you can still run compliance against files and other OS CI's.