Utility SpotlightOffline Virtual Machine Servicing Tool

Peter Skjøtt Larsen and Suveen Kumar Reddy Vuppala

Contents

Security Nightmare
Under the Hood
Servicing Infrastructure
Using the Tool
Coming Up

Virtualizing a computer workload simply means using a virtual machine (VM) to untether the workload from the underlying hardware. Modern IT departments find VMs useful in many situations, including:

Shifting Workloads You can easily use VMs to increase or decrease the workload bandwidth of multiple setups, as your usage demand changes, without having to make a corresponding hardware change.

Developing and Testing Applications It's possible to create multiple VMs that represent each configuration an application is supposed to support without needing dedicated hardware.

Software Upgrades You can use VMs in order to bring the new version of a software package online as you take the previous version offline—all on the same hardware.

Software Distribution VMs can be used as a unit of distribution for a line-of-business application that has a consistent combination of software in a pre-tested package.

Security Nightmare

One of the advantages of using VMs is that you are able to store them in an offline state as VM images. Then when you need them, you can "wake" these VMs and deploy them much more quickly than you could deploy the equivalent hardware.

Keeping an increasing number of computing environments waiting off­line presents a maintenance challenge, however. Many software update mechanisms rely on systems to be online in order to check for updates or to receive updates automatically.

When a VM is not online, it is just a file sitting in a computer, so it cannot interact with any update mechanism. A VM that has been brought online after being offline for a few months thus might become a threat to the network, or the network could threaten it.

It is not simply a matter of missing OS updates. Outdated applications or virus profiles can render the VM vulnerable or out of compliance with company standards.

To help customers address the challenge of keeping offline VMs up-to-date, the Microsoft Solution Accelerator team has created the Off­line Virtual Machine Servicing Tool. This tool works with System Center Configuration Manager (SCCM) 2007, Windows Server Update Services (WSUS) 3.0, and System Center Virtual Machine Manager (VMM) 2007 to orchestrate the updating of stored VMs. Figure 1 shows a conceptual rendering of the tool and how it connects to various external components.

fig01.gif

Figure 1 How the Offline Virtual Machine Servicing Tool works (Click the image for a larger view)

To make VMs available for updates, the tool uses VMM to temporarily deploy them to maintenance hosts. Because a maintenance host configuration typically has the necessary CPU and memory to run multiple VMs at the same time, the tool can manage VMs in batches.

As soon as the VMs are active on the maintenance hosts, either SCCM or WSUS can supply them with the necessary updates. After the updates have been applied, the tool uses VMM to return the VMs to their offline state. (Note that the tool only supports VMs that are managed by VMM.)

Under the Hood

The Offline Virtual Machine Servicing Tool uses Windows Workflow Foundation (WF) to orchestrate the process of updating a VM. The process has a number of decision points, beginning with choosing the appropriate update management system, picking the next available maintenance host appropriate for the VM, ensuring that the update occurred, and, finally, dealing with exceptions.

Using a Windows WF-based solution gave the development team great flexibility to change and evolve the process. It also offers users a robust solution that can be tailored to meet specific needs; at critical junctures in the process, built-in pre- and post-workflow steps provide opportunities for customization.

The tool uses Windows PowerShell to implement individual tasks below the workflow level, which ties in nicely with the Windows Power­Shell API offered by VMM. And the Microsoft .NET Framework-based UI looks and feels like System Center products, so new users should feel right at home.

Servicing Infrastructure

One of the basic principles of the servicing infrastructure is to configure network security to keep VMs from harm during the update process. In version 1.0 of the tool, this is accomplished using a Virtual Private Network (VPN) to which VMM and the appropriate update system (WSUS or SCCM) connects. The most appropriate infrastructure for a VMM library is a Fibre Channel-connected Storage Area Network (SAN), which provides the means for fast transfer of VM images to the maintenance hosts.

All the VMs must be members of the same domain, one that uses Active Directory and DNS. Separate servers can be dedicated to VMM, WSUS, SCCM, and the VMM library, but combinations of virtual servers can also be used for smaller environments. Needless to say, the maintenance hosts must be physical servers.

Using the Tool

After you have set up the servicing infrastructure, you need to check that certain settings are correct before the tool can start. Make sure that VMM is managing all the appropriate VMs, that each VM has the appropriate update client installed, and that the necessary update packages are configured in WSUS or SCCM. Ensuring that groups of maintenance hosts are configured in VMM is optional.

When you are ready, start the Off­line Virtual Machine Servicing Tool, which has a number of configuration steps of its own. You will have to designate the VMM server and the appropriate WSUS or SCCM server, and then specify which group of maintenance hosts to use (if the maintenance hosts are grouped) and which maintenance hosts from that group to use (see Figure 2). You may want to configure groups of VMs to be managed, but this is optional.

fig02.gif

Figure 2 Configuring the Offline Virtual Machine Servicing Tool (Click the image for a larger view)

After you have configured the tool, you create the servicing jobs. A servicing job contains all of the information the tool uses to manage specific VMs, including whether to use WSUS or SCCM for updates; locations of the VMM server and the WSUS or SCCM server; identities of the VMs to be managed; type (and identity, as appropriate) of network to use for the process; identities of the maintenance hosts to use; account credentials needed to access the VMs, the VMM server, and the WSUS or SCCM server; and, finally, the schedule for running the servicing job (run immediately or at a specific date and time).

If you specify a date and time for the servicing job, Windows Task Scheduler determines when to start it. As the servicing job runs, the Offline Virtual Machine Servicing Tool follows this sequence for each VM:

  • Select the next VM from the VMM library.
  • Query VMM for the most appropriate maintenance host.
  • Deploy the VM onto the maintenance host.
  • Ensure that the VM connects to the correct network.
  • Start the VM.
  • Make sure the appropriate update client is installed on the VM.
  • Trigger the update process.
  • Wait for the update process to complete.
  • Shut down the VM.
  • Store the VM back in the VMM library.

The time it takes to update a library of VMs will vary greatly, depending on the number and capacity of the maintenance hosts, the access speed of the VMM library storage, and the nature of the updates.

You should note that the current version (1.0) of the Offline Virtual Machine Servicing Tool does not support network access protection (NAP), which is a really attractive way to protect VMs from the network. In addition to this, it does not support the Hyper-V technology of Windows Server 2008 or the use of Windows Server 2008 as a client OS.

Newer versions of SCCM, WSUS, and VMM will be available soon, and version 2.0 of the Offline Virtual Machine Servicing Tool will provide support for them as well as for Hyper-V and the use of Windows Server 2008 on the client. The tool is also going to support NAP for network isolation. You can download the Offline Virtual Machine Servicing Tool at technet.microsoft.com/cc501231.

Peter SkjØtt Larsen is a Senior Product Manager at Microsoft. Before joining Microsoft, Peter was involved in both architecture and development of telecom operational software systems and standardization and development of wireless services.

Suveen Kumar Reddy Vuppala is a Senior Software Development Engineer at Microsoft. He was previously involved in designing and developing the real-time monitoring tools and deployment solutions for Microsoft for the past seven years.