In this post we will discuss Out-of-Band Management of virtual machines running on Hyper-V, and a glimpse into the future. Hyper-V in Windows Server 2012 R2 has a large number of significant improvements, but there’s a new feature called Guest Services that hasn’t been much in the spotlight yet. I’ll provide a quick overview of Hyper-V Guest Services and also an example of how it can be used to perform out-of-band operations.
Guest Services are disabled by default on VMs. In order to use Guest Services, it needs to be enabled on each VM which will make use of it. To enable Guest Services on each VM, you can configure the checkbox setting shown in the screenshot below.
And of course you can enable Guest Services with PowerShell, using the Enable-VMIntegrationService command.
Guest Services leverages the Hyper-V Virtual Machine Bus (VMBus) to which each VM is connected. The VMbus is a communication mechanism used for inter-partition communication and device enumeration on systems with multiple active virtualized partitions. To bring it the easy way: The hypervisor and virtual machines are communicating with each other through the VMBus. For now, the only Out-of-Band operation Guest Services is supporting is the Copy-VMfile cmdlet.
With this cmdlet you can copy a file from a host into the VM.
Copy-VMFile -VM $VM -SourcePath “C:\scripts\powershellscript.ps1″ -DestinationPath “C:\scripts\powershellscript.ps1″ -CreateFullPath -FileSource Host -Force
Out-of-band management (OOB), sometimes called lights-out management, involves the use of a dedicated management channel for device maintenance. The term “Out-of-Band” in this blog is actually referring to a way to manage machines without using network. Now you might think “Manage without network? why?”
With routed VLANs you can easily manage your VMs using remote PowerShell, but with network virtualization, although a very cool technology, it also introduces some big challenges. Network virtualization isolates the network meaning nobody can access the network without being in it. You may encounter a similar scenario with isolated development environments with VMs running in a DMZ, behind a Firewall or using ACLs. So, how are you going to manage VMs which you can’t reach through network connectivity?
Right! Out-of-Band Management
So the goal is to manage VMs running on Hyper-V without having to worry about what network the VM is on, or if it’s even connected to any network.
A Glimpse into the future
My prediction is that the Virtual Machine Manager and Hyper-V product teams are working hard to get this type of management arranged. Virtual Machine Manager will be the center of Out-of-Band management, shooting commands through the VMM agent to the Hyper-V host. The Hyper-V server will pass these commands (PowerShell of course) through the VMBus to the VM using Integration Services.
This way you can manage any VM, connected to any network.
Other System Center components could benefit from Out-Of-Band management also: monitor a VM while the network is down with Operation Manager, change a VM IP with Configuration Manager etc. Since much is focused on Microsoft Azure, I am assuming this kind of functionality will also be available on Microsoft Azure and Windows Azure Pack through the API’s.
How cool would it be to pass PowerShell commands from your laptop on a public airport Wifi to your VMs on Azure?
Is there a catch?
The question is if this functionality poses a potential risk for your VMs or even your whole environment. What would happen if the security of the APIs is breached, would it be possible to execute commands from within your VMs from anywhere. The Hyper-V Integration Services are running as a services with ‘Local System’ privileges, so in theory there will be no security restrictions within the VM.
The above paragraph is of course speculative, but if a file copy through the VMBus is possible… I suspect anything is.
Let me know what your thoughts are on this subject, leave a comment!