Discovering VMware guest hosts by using the vCenter API
BMC Helix Discovery enables you to discover the guest hosts that are managed by vCenter, even if those hosts are not accessible from the BMC Discovery Outpost you are using.The way in which BMC Helix Discovery discovers VMware ESX and ESXi hosts as described in the Discovering ESX and ESXi hosts topic.
This topic describes how BMC Helix Discovery discovers other guest hosts managed by VCenter.
When a VMware vCenter server or appliance is found and a valid vCenter credential is available, BMC Helix Discovery retrieves a list of managed ESX and ESXi hosts, and other guest hosts managed by vCenter. This requires a valid vCenter credential if the VMware vCenter server or appliance was discovered with an SNMP or a Windows credential. The IP addresses of these hosts are added, as part of the same scan range, to the list of IP addresses that are going to be scanned.
The following credential types are used to discover guest hosts:
vCenter credentials—used to access a vCenter server using the vSphere API. The vCenter server then communicates with the guests.
VMware guest credentials—used to log in to individual guest hosts, and run commands on those hosts.
Warning
Unpatched versions of VMware vSphere have known issues when scanned by various tools. We recommend that you apply the appropriate patches to the affected systems. For more information about this issue, see the related information on
BMC Discovery content reference
.
There are two ways of scanning a VMware guest host:
- Indirect scanning
- Direct scanning
Indirect scanning
BMC Helix Discovery scans an IP address as part of discovery run where VMware Guest Scanning is enabled:
The scan detects a Windows host running a vCenter server, or a vCenter appliance, using one of the credential types mentioned above.
If vCenter credentials are defined, they are used to connect to the vCenter server on port 443.
- On a successful connection, BMC Helix Discovery retrieves a list of ESX and ESXi hosts and guest hosts managed by the VMware vCenter server.
- If you have supplied an additional vSphere Web API with token authentication credential, the tags for each virtual machine are also returned.
- The IP addresses are added to the list of IP addresses that were specified in the original scan. As they are not requested by a user, they are referred to as implicitly scanned IP addresses.
- The guest hosts are scanned using VMware Guest credentials.
The interaction between vCenter and the guest hosts is non-interactive. Any privilege elevation mechanism on the guests, (for example, sudo) should be configured to be non-interactive, otherwise the discovery will fail.
If there are user-requested IP addresses being scanned or waiting to be scanned, discovery waits until the implicit scan of IP addresses is complete, or there are no more IP addresses to scan. The IP address is removed, and the DroppedEndpoints node associated with the DiscoveryRun records OptAlreadyProcessing as the reason for removal.
Required vCenter privileges
The minimum privileges required for full discovery of guest hosts using vCenter credentials are listed below:
Managed Object Type: | |
|---|---|
hardware.systemInfo.uuid | config.network.pnic |
name | config.network.vnic |
runtime.connectionState | config.virtualNicManagerInfo.netConfig |
config.network.consoleVnic | |
Managed Object Type: | |
config.alternateGuestName | guest.guestFullName |
config.guestFullName | guest.guestId |
config.guestId | guest.hostName |
config.name | guest.ipAddress |
config.template | name |
config.tools.toolsVersion | runtime.powerState |
config.uuid | |
The following Virtual Machine Guest Operations Privileges are also required:
Privilege Name in the API | Description |
|---|---|
VirtualMachine.GuestOperations.Modify | To create temporary files in the guests and to upload the discovery script. |
VirtualMachine.GuestOperations.Execute | To run the discovery script. |
VirtualMachine.GuestOperations.Query | To check that the script has completed and to download the results. |
Implicitly scanned IP addresses
When IP addresses are implicitly scanned, the DiscoveryRun records the total number of IP addresses as usual, but it also records counts of IP addresses whose scan was requested by a user (explicit_ip_count) and implicitly scanned (implicit_ip_count) IP addresses.
The following screenshot shows an indirectly scanned discovered guest host running Windows Server 2016:
Direct scanning
If the IP address is reachable, BMC Helix Discovery scans the guest host as a normal IP endpoint.
Intermittent retrieval of vCenter serial number (ServiceTag)
vCenter caches the serial number (ServiceTag) value in memory rather than in its database. That cache expires after some time. Therefore, if you look at the ESX host using the vSphere client or the managed object browser, or perform a scan while the cached value is held in memory, you see the ServiceTag value, and BMC Helix Discovery retrieves it. After the value has expired, the only way to get it back is to restart the ESX host services. This behavior will only be fixed in an upcoming major vSphere release. You can view related discussions on the BMC Helix Discovery community forum.
vCenter server incorrectly reports completion of VM migration
Occasionally, a vCenter server may incorrectly report that a VM migration has been completed, even though the migration failed. In the BMC Helix Discovery model, the SI representing the VM is moved to a different ESXi host, when in fact the migration failed. However, at the next scan, the SI will be correctly relocated.
Comments
Log in or register to comment.