VMware Cloud Community
Dorp0
Contributor
Contributor
‎12-20-2017 04:56 PM
Jump to solution

How does invoke-vmscript work under the hood?

A question came up regarding security.

How does invoke-vscript execute commands on the guest operating system?  I know that the host communicates with the guest on port 902, but what does it actually do under the hood?  What path does the traffic take networkwise?  Does the host  use ssh or some other method to access and execute commands on the guest?  How does it actually execute the command?  How secure is this method?  Is it complaint with ISO standards?

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
‎12-21-2017 04:44 AM
Jump to solution

I had a closer look in my environment (vSphere 6.5U1 and PowerCLI 6.5.4), and the internals have apparently changed a bit from before.

When you run the Invoke-VMScript cmdlet, you can see the following happening

  • the PowerShell session on your station talks with the vCenter <-- probably to gather information about the target VM
  • the PowerShell talks with the ESXi node on which the target VM is running <- this is probably where the calls to the GuestOperationsManager are happening
  • the cmdlet creates two files in the invoking user's temp directory <- one to hold the code to be executed and one to receive the output of the code
  • the two files are removed when the cmdlet exits
  • all network traffic runs over https (to the vCenter and to the ESXi node) <- this means that security is largely dependent on how well you can protect the Certificate Authority

For security reasons there are a couple of elements one needs to review

  • if you need to provide Credential on the cmdlet, you should store these in a secure way
  • The station on which you run the Invoke-VMScript shall be secured
  • Since the communication uses HTTPS, the protection of the Certificate Authority is critical
  • Use "real" certificates, not any self-signed ones


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
6 Replies
LucD
Leadership
Leadership
‎12-20-2017 09:47 PM
Jump to solution

The Invoke-VMScript, and all other cmdlets interfacing with the guest OS, use the API methods available through the GuestOperationsManager.

From your station, the code is transferred to the ESXi node where the target VM is running.

And the ESXi node uses above mentioned API to communicate with the guest OS inside the VM.

Note that this mechanism requires VMware Tools to be installed inside the guest OS.

The script or code that needs to be executed is encoded and transferred to the file system inside the guest OS, there it is executed.

You need credentials that give you access to the guest OS.

The writing of the files and the execution of the code is done under those credentials.

I did a similar exercise, minus the encoding, in my Invoke-VMScriptPlus function, where I use the same ASPI directly.

Not sure which ISO standards you are referring to?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
mlrm72
Contributor
Contributor
‎12-20-2017 11:20 PM
Jump to solution

(I am the one who asked the original question on my other account.)

Interesting.  So, the request originates at my workstation, and is transferred to vSphere.  Is it moved into vCenter, or does vSphere interact directly with the esxi host?  It is then transferred to the ESXi host, and then inserted into the guest OS via the API.  Is this correct?  Is this data encrypted end to end?  What protocol is being used by the API?

By ISO standards, I was referring to things like ISO 27000 which cover computer security.  Does this tool fall into the Sarbanes-Oxley Act, for example?

0 Kudos
LucD
Leadership
Leadership
‎12-20-2017 11:56 PM
Jump to solution

Which vSphere version and which PowerCLI version are you using?

It looks as if some logic might have been changed in the latest PowerCLI build(s).


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
mlrm72
Contributor
Contributor
‎12-21-2017 12:02 AM
Jump to solution

I am using vSphere 6.5 & PowerCLI 6.5.1

0 Kudos
LucD
Leadership
Leadership
‎12-21-2017 04:44 AM
Jump to solution

I had a closer look in my environment (vSphere 6.5U1 and PowerCLI 6.5.4), and the internals have apparently changed a bit from before.

When you run the Invoke-VMScript cmdlet, you can see the following happening

  • the PowerShell session on your station talks with the vCenter <-- probably to gather information about the target VM
  • the PowerShell talks with the ESXi node on which the target VM is running <- this is probably where the calls to the GuestOperationsManager are happening
  • the cmdlet creates two files in the invoking user's temp directory <- one to hold the code to be executed and one to receive the output of the code
  • the two files are removed when the cmdlet exits
  • all network traffic runs over https (to the vCenter and to the ESXi node) <- this means that security is largely dependent on how well you can protect the Certificate Authority

For security reasons there are a couple of elements one needs to review

  • if you need to provide Credential on the cmdlet, you should store these in a secure way
  • The station on which you run the Invoke-VMScript shall be secured
  • Since the communication uses HTTPS, the protection of the Certificate Authority is critical
  • Use "real" certificates, not any self-signed ones


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
mlrm72
Contributor
Contributor
‎12-21-2017 06:41 AM
Jump to solution

Awesome!   I appreciate your in depth help on this.

I will mark the answer as correct.

0 Kudos