Manage Learn to apply best practices and optimize your operations.

Ask Eric: Virtualization security challenges, scripting a virtual inventory and more

Eric answers readers' questions about virtualization's security challenges, how to script a virtual inventory and whether defragmenting a virtual machine with a thin disk will create problems for the thin disk.

Readers email me frequently with virtualization questions asking for advice or about how to solve problems in their virtual environments. Each week I'll share some select questions and my answers so that others can learn as well.

If you have your own question, fill out this form and I'll publish it in an upcoming column.

Question: What are the current security challenges with virtualization? What are your concerns as a system administrator?

The biggest security challenge in a virtual environment is in understanding some of the unique vulnerabilities that virtualization has. Virtual security consists of layered defenses; first and foremost, the host server must be protected at all costs as a compromised host can easily lead to compromised VMs. Traditional physical network security devices intrusion detection systems (IDSes) and intrusion prevention systems (IPSes) are not effective in virtual environments as the network is extended into the host server where and IDS or IPS would not have visibility.

Using virtualization-specific security tools helps to protect and monitor your virtual networks. Virtualization machines should be secured in the same way as their physical counterparts, but you should also take care to protect access to them outside the operating system through the virtualization layer. To help you with this there are a number of security guides specific to virtualization, including ones from CISecurity on securing ESX hosts and securing virtual machines and also one published by VMware on security hardening guidelines for ESX.

My main concern as an administrator would be maintaining security once you have implemented it. It's easy to change settings to weaken it once you have security in place. Security always comes with a cost and that cost is usually convenience; as a result security is often circumvented to make administration easier. Again there are virtualization-specific security compliance products available that will help you audit and maintain a secure virtual environment.

I want to create a spreadsheet to document guest virtual machines, hosts, network interface cards, disk info, etc. for my environment. Is it possible to create a script that will do this for me so that I don't have to collect the information manually?

There are definitely ways to script this. PowerShell will be your best friend. PowerShell is a relatively easy-to-use, robust, Windows-based scripting language, and there are VMware-specific libraries that can be used with it. There are also many pre-written scripts that can be downloaded so you don't have to start from scratch.

To get started with PowerShell, you can check out PowerShell scripting with VMware ESX tutorial: Installing and using the PowerShell tool and using Quest's PowerGUI PowerPack script editor. Then check out some of the below scripts created by some PowerShell gurus. The scripts might not be exactly what you want, but they do some of what you asked and you can modify them to suit your needs.

I read your article on defragmenting virtual machine disk files. In the article, you recommend defragmenting through the OS as needed. But if I defrag a VM with a think disk, will it undo the thin provisioning during the defragment operation?

You should definitely use care when defragmenting thin disks, and only do it if the disk is heavily fragmented. The defragment operation writes to disk blocks all over the disk while it tries to make files use contiguous disk space and will definitely increase your thin disk size.

When I wrote that article thin disks were not commonly used as they were difficult to create, manage and report on in VMware Infrastructure 3.

If you do have a disk that is heavily fragmented and will benefit from being defragmented then there are some steps you can take afterwards to shrink the disk back down after the defrag operation completes. The first step thing you should do after defragging is run the sdelete command inside the guest OS, which clears the empty disk blocks on the disk so they contain no data. Then, use Storage VMotion to compress your disk file back down so the .VMDK file is close to the actual space used inside the disk. If you do not run sdelete before running Storage VMotion, it will not compress that much as deleted data on the disk is not considered empty disk space, as it has already been written to. You can read more about reclaiming unused VMDK disk space here.

Have a question that you'd like answered? Submit it here or drop me an email at and we will answer it as quickly as possible in an upcoming tip.



Eric Siebert is a 25-year IT veteran with experience in programming, networking, telecom and systems administration. He is a guru-status moderator on the VMware community VMTN forums and maintains, a VI3 information site.

Dig Deeper on Scripting administrative tasks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.