vCenter Update Manager – A Feature Request

Way back in August 24 2010 I wrote a post called vCenter Update Manager to lose it’s fat. I’m still very happy that VMware has decided to drop OS patching from the product, and I still mean that can only be a good thing. In fact, that article prompted Beth Pariseau Senior News Writer for to call me when researching her VMware users eye changes to Update Manager article.

I would like to expand a bit on the following quote from the article:

Centralized management is fine, Mohn said, but he’d like to see satellite servers hang on to a local repository of patches, which can then be applied with a command from the central server …

As I work with small ROBO environments, which in many cases have low bandwidth available coupled with very high latency, using VMware Update Manager to update the sites is often not feasible. The sheer problem with installing the patches from a central HQ based repository, and the time it consumes and potential failure rates, makes it more practical to download the patches manually to a local vMA installation (possibly even replicated with rsync) and applying the patches to the host from a local repository. This also minimizes the hosts downtime when applying patches.

What I would like to see added to VMware Update Manager is the ability to tell a remote host to apply patches, but from a local file repository.

Using vMA for this is absolutely possible, but I can also see using local (to the host) NAS storage as the patch repository as another possibility. By using some DNS magic, it would even be possible to tell all remote vSphere hosts to fetch their updates from \\patchrepo\vmware\ (or something similar) and it would still be a local repository.

VMware Update Manager could even handle the replication of the patches to the remote sites, but in general I’m in favor of using the existing underlying network infrastructure that’s already in place to move the patches from a central location to the remote locations.

So, in short, all I’m asking is for a way to tell a central VMware Update Manager installation where the patches for a remote server is, and invoke the patching process from the central installation. Surely, that can’t be too much to ask for, can it?

Installing and running VMware Compliance Checker for vSphere

The first version of the new VMware Compliance Checker for vSphere tool is now available for download.

VMware Compliance Checker for vSphere lets you scan your ESX and ESXi hosts for compliance with the VMware vSphere hardening guidelines to make sure your hosts are properly configured. It also lets you save and print your assessment results, so you can track your compliance level over time, or use them as documentation for internal audits.

Installing VMware Compliance Checker for vSphere

After downloading the VMwareComplianceCheckerForvSphere.msi installing is done in a matter of seconds, using the all to familiar click Next to continue Windows installation routine. The tool is Windows only at this point.

The tool is Java based, so the client machine you run it on needs to have it installed locally before you can use it.

Running a Compliance Scan

Running a compliance scan is very easy. Start up VMware Compliance Checker for vSphere and point it towards either a ESX/ESXi host, or towards your vCenter installation.

The tool runs for a while, and in the end you’ll be presented with a nice HTML based report highlighting all your compliance shortcomings!


VMware Compliance Checker for vSphere looks like it can be a valuable tool to add to your vAdmin tool-belt. In it’s first version it does a good job of identifying potential issues with your environment. As far as I can see, William Lam’s Perl based vSphere Security Hardening Report Script does more extensive checks for now.

The vSphere Security Hardening Report Script also has a couple of other advantages, one being that it’s operating system agnostic (since it’s Perl based) another advantage is that since it’s written in a scripting language you can set up automated cron jobs that performs the scanning for you. As far as I can see the VMware tool is missing the ability to schedule scans, which is something I really hope VMware will add to it in the not to distant future.

vNinja enables HA

I’m happy to announce that my fellow vSoup Podcast co-host Ed Czerwin is on board as blogger here on! This means that from now on you won’t just have to put up with the content of one virtualization admin, but two!

As all good vAdmins know, two is better than one, and it’ so much easier to build HA solutions around!

Welcome aboard Ed, glad to have you on!