open-vm-tools-devel

Possible to run external custom programs & scripts on VM, if it is running only with guestd from vmtools package

[Bhuvan R. <bhu...@gm...>]

Hi,

I have question about the how strict or loose is the environment if I am
running a VM with only guestd - guest daemon - of vmtools (no other
modules).

I noticed that PowerCLI, VIX and other vSphere management packages having
the ability of running scripts on VM and changing IP of VM etc., Do they
talk to guestd of vmtools as they send those commands to VM? What is the
architecture there? Is there anyway to make guestd to operate only in GET
mode, but not SET mode?

There is limited info guestd module per say. What are the various GETs and
SETs that can be done with guestd? Do any of those need Guest OS's
root/admin login credentials?

Thanks.

Re: Possible to run external custom programs & scripts on VM, if it is running only with guestd from vmtools package

[Ravindra K. <rav...@vm...>]

> I noticed that PowerCLI, VIX and other vSphere management packages having 
> the ability of running scripts on VM and changing IP of VM etc., Do they talk to 
> guestd of vmtools as they send those commands to VM? What is the architecture 
> there? 

Yes, any vSphere operation that runs inside the guest goes through vmtoolsd. 

> Is there anyway to make guestd to operate only in GET mode, but not SET mode? 

No. It sounds to be a new feature but not sure if it really adds any value because 
host anyway controls the guest. Given that all the communication to vmtoolsd is 
from host, if host access is controlled through proper role/access control in VC, 
SET mode should not bother you. However, if you want to control VIX 
operations from within guest, you can configure tools.conf to disable specific 
VIX operations. Here are the examples: 

Following two lines will disable all VIX operations: 

[ guestoperations ] 
disabled=TRUE 

Following lines will disable operations like VixVM_RunProgramInGuest , 
VixVM_CopyFileFromHostToGuest , VixVM_CreateDirectoryInGuest , 
VixVM_CreateTempFileInGuest , VixVM_DeleteDirectoryInGuest , 
VixVM_DeleteFileInGuest , VixVM_KillProcessInGuest , 
VixVM_RenameFileInGuest operations : 

[ guestoperations ] 
StartProgramInGuest.disabled=TRUE 
TerminateProcessInGuest .disabled=TRUE 
MakeDirectoryInGuest .disabled=TRUE 
DeleteFileInGuest .disabled=TRUE 
DeleteDirectoryInGuest .disabled=TRUE 
MoveDirectoryInGuest .disabled=TRUE 
MoveFileInGuest .disabled=TRUE 
CreateTemporaryFileInGuest .disabled=TRUE 
CreateTemporaryDirectoryInGuest .disabled=TRUE 
ChangeFileAttributesInGuest .disabled=TRUE 
InitiateFileTransferToGuest .disabled=TRUE 

There are some more commands to modify guest registry and running 
scripts inside guest etc which (unfortunately) have no control provided 
through tools.conf. 

> There is limited info guestd module per say. What are the various GETs 
> and SETs that can be done with guestd? 

vmtoolsd collects resource usage information, provides soft power 
operations, performs time synchronization with the host, and provides 
backend for VIX APIs ( https://www.vmware.com/support/developer/vix-api/vix112_reference/index2.html ). 
Most of the operations are GET. There are some of the VIX operations 
that modify things in guest. You can see these from the VIX reference 
page above. 

> Do any of those need Guest OS's root/admin login credentials? 

Typically, all the guest operations require login credentials and run as 
that user whose credentials have been provided.