A question came up regarding security.
How does invoke-vscript execute commands on the guest operating system? I know that the host communicates with the guest on port 902, but what does it actually do under the hood? What path does the traffic take networkwise? Does the host use ssh or some other method to access and execute commands on the guest? How does it actually execute the command? How secure is this method? Is it complaint with ISO standards?
I had a closer look in my environment (vSphere 6.5U1 and PowerCLI 6.5.4), and the internals have apparently changed a bit from before.
When you run the Invoke-VMScript cmdlet, you can see the following happening
For security reasons there are a couple of elements one needs to review
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
The Invoke-VMScript, and all other cmdlets interfacing with the guest OS, use the API methods available through the GuestOperationsManager.
From your station, the code is transferred to the ESXi node where the target VM is running.
And the ESXi node uses above mentioned API to communicate with the guest OS inside the VM.
Note that this mechanism requires VMware Tools to be installed inside the guest OS.
The script or code that needs to be executed is encoded and transferred to the file system inside the guest OS, there it is executed.
You need credentials that give you access to the guest OS.
The writing of the files and the execution of the code is done under those credentials.
I did a similar exercise, minus the encoding, in my Invoke-VMScriptPlus function, where I use the same ASPI directly.
Not sure which ISO standards you are referring to?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
(I am the one who asked the original question on my other account.)
Interesting. So, the request originates at my workstation, and is transferred to vSphere. Is it moved into vCenter, or does vSphere interact directly with the esxi host? It is then transferred to the ESXi host, and then inserted into the guest OS via the API. Is this correct? Is this data encrypted end to end? What protocol is being used by the API?
By ISO standards, I was referring to things like ISO 27000 which cover computer security. Does this tool fall into the Sarbanes-Oxley Act, for example?
Which vSphere version and which PowerCLI version are you using?
It looks as if some logic might have been changed in the latest PowerCLI build(s).
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I am using vSphere 6.5 & PowerCLI 6.5.1
I had a closer look in my environment (vSphere 6.5U1 and PowerCLI 6.5.4), and the internals have apparently changed a bit from before.
When you run the Invoke-VMScript cmdlet, you can see the following happening
For security reasons there are a couple of elements one needs to review
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Awesome! I appreciate your in depth help on this.
I will mark the answer as correct.