I know, that in the era of IaC, OS templates should be gone, but still they’re alive. During my work I faced the situation, that I had to patch monthly about 30 VM Windows Server VMWare templates with only specified patches, whch were previously approved by the relevant team. Patches were defined in the SCCM – for the I wrote another script to gather all needed patches and create an ISO which will be the entry point for the patching script – but this is a different story.
One can ask question why so many templates … Well there was more than one vSphere, each with at least three Datacenter objects – with separated datastores. So to deploy VMs on each DC, one template per operating system was required. In the post I will focus on patching Windows 2012 R2 and Windows 2016 templates only.
As the result of patching MBSA report will be created which were run against newest MBSA offline cab file – this file is also on the ISO.
So as entry point I have the ISO file, which contains all necessary patches, MBSA binaries and MBSA offline cab file.
As result I would like to have a MBSA report file ran against the newest MBSA offline cab file – to be sure that template is correctly patched.
For the script I’ll use PowerShell and VMWare PowerShell extension – PowerCLI.
What script needs to do :
- Connect to the vSphere Server
- Get the datastore where template is located
- Convert template to VM
- Do the snapshot – in case of failure
- Copy the ISO file to the datastore, where template is located
- Mount the ISO to the VM
- Start VM
- Install patches required for the OS
- Reboot VM
- Check if all necessary patches were installed
- Install MBSA
- Run MBSA
- Copy report from VM to defined location
- Delete the report from VM
- Uninstall MBSA
- Power off the VM
- Unmount the ISO file.
- Delete the snapshot
- Convert VM to the template
- Delete the ISO file from datastore
- Disconnect from the vSphere server
This solution has of course one disadvantage, because if in one of the datacenters 2 or more templates are stored on the same datastore, then running script on simultaneously on these templates will fail, because script will not be able to upload the ISO to datastore, if it’s mounted on other VM – to workaround this one needs to patch one template per vSphere datacenter or copy the ISO file to the VM folder instead of root of datastore – maybe in next script version …
With the defined steps I need following input parameters :
- vSphere Server name
- Credentials to access vSphere
- Path to the ISO file
- Template name
- Credentials to access VM on the OS level
- Path where to save the MBSA report
- Path to the log file – the script will log the steps which are being performed – on the screen and to the file
This ends part one of patching VM templates. The script itself will be created, explained, presented in part two.