Discovering VMware guest hosts by using the vCenter API
When a VMware vCenter server or appliance is found and a valid vCenter credential is available, BMC Discovery retrieves a list of managed ESX and ESXi hosts and other guest hosts managed by vCenter. This requires a valid vCenter credential if the VMware vCenter server or appliance was discovered with an SNMP or a Windows credential. The IP addresses of these hosts are added, as part of the same scan range, to the list of IP addresses that are going to be scanned.
The following credential types are used to discover guest hosts:
- vCenter credentials—used to access a vCenter server using the vSphere API. The vCenter server then communicates with the guests.
- VMware guest credentials—credentials of the guest hosts' OS level users (having SSH, Windows or Powershell access) that are used to log in to individual guest hosts, and run commands on those hosts. VMware guest credentials are used for guest operation authentication. To create guest credentials, see Adding-credentials.
VMware guest scanning uses the GuestOperationsManager API which interacts with the VMware tools service on the guest VM. VMware tools must be installed and running. VMware guest scanning has been tested with vSphere 5.0 and later.
There are two ways of scanning a VMware guest host:
- Indirect scanning
- Direct scanning
Indirect scanning
BMC Discovery scans an IP address as part of a discovery run where VMware Guest Scanning is enabled:
- The scan detects a Windows host running a vCenter server or a vCenter appliance using one of the credential types mentioned above.
- If vCenter credentials are defined, they are used to connect to the vCenter server on port 443.
- On a successful connection, BMC Discovery retrieves a list of ESX and ESXi hosts and guest hosts managed by the VMware vCenter server.
- If you have supplied an additional vSphere Web API with a token authentication credential, the tags for each virtual machine are also returned.
- The IP addresses are added to the list of IP addresses specified in the original scan. As a user does not request them, they are referred to as implicitly scanned IP addresses.
- The guest hosts are scanned using VMware Guest credentials.
The interaction between vCenter and the guest hosts is non-interactive. Any privilege elevation mechanism on the guests (for example, sudo) must be configured to be non-interactive otherwise the discovery will fail.
If there are user-requested IP addresses being scanned or waiting to be scanned, discovery waits until the implicit scan of IP addresses is complete or there are no more IP addresses to scan. The IP address is removed, and the DroppedEndpoints node associated with the DiscoveryRun records OptAlreadyProcessing as the reason for removal.
Guest events in vCenter
VMware vCenter creates events for many operations on guests, such as creating temporary directories, transferring files, starting programs, checking that programs are still running, and so on. The number of events builds quickly, and it may create up to a few hundred while scanning a host. If you do not have a policy for managing events, you may see excessive disk space consumed in the database.
Required vCenter privileges
The following Virtual Machine Guest Operations Privileges are required:
Privilege Name in the API | Description |
|---|---|
VirtualMachine.GuestOperations.Modify | To create temporary files in the guests and to upload the discovery script. |
VirtualMachine.GuestOperations.Execute | To run the discovery script. |
VirtualMachine.GuestOperations.Query | To check that the script has been completed and to download the results. |
Implicitly scanned IP addresses
When IP addresses are implicitly scanned, the DiscoveryRun records the total number of IP addresses as usual, but it also records counts of IP addresses whose scan was requested by a user (explicit_ip_count) and implicitly scanned (implicit_ip_count) IP addresses.
The following screenshot shows an indirectly scanned discovered guest host running Windows Server 2016:
Direct scanning
If the IP address is reachable, BMC Discovery scans the guest host as a normal IP endpoint.
Intermittent retrieval of vCenter serial number (ServiceTag)
vCenter caches the serial number (ServiceTag) value in memory rather than in its database. That cache expires after some time. Therefore, if you look at the ESX host using the vSphere client or the managed object browser, or perform a scan while the cached value is held in memory, you see the ServiceTag value, and BMC Discovery retrieves it. After the value has expired, the only way to get it back is to restart the ESX host services. This behavior will only be fixed in an upcoming major vSphere release. You can view related discussions on the BMC Discovery community forum.
vCenter server incorrectly reports completion of VM migration
Occasionally, a vCenter server may incorrectly report that a VM migration has been completed, even though the migration failed. In the BMC Discovery model, the SI representing the VM is moved to a different ESXi host, when in fact the migration failed. However, at the next scan, the SI will be correctly relocated.