VMware ACE

Features | Documentation | Knowledge Base | Discussion Forums

Updating Virtual Machines

From time to time, you may need to update your end users' virtual machines. In general, there are two ways of providing updates.

You may need to update the guest operating system or provide an update to a program running in the guest operating system.
You may need to update either the virtual machine itself or policies applied to the virtual machine or add a new virtual machine to the package.

Distributing Software Updates

If you simply need to update the operating system or other software running inside the virtual machine, in most cases you should use the same mechanisms you use to distribute software updates to physical computers.

The advantage of distributing updates in this way is that end users' data stored in their virtual machines is not affected by the update.

If you are using virtual machine versions to ensure that your end users are running up-to-date virtual machines, see Using nq-set to Update Network Quarantine Versions for information on how to update the version number when the user updates software in the virtual machine.

If you plan to distribute additional copies of the virtual machine, you should also use nq-set to update the version number in your local copy of the virtual machine and create an updated package for future distribution.

Creating Update Packages

If you need to provide a completely new virtual machine to your end users — either as a replacement to an existing virtual machine or in addition to any existing virtual machines — or if you need to change the policies applied to the virtual machine, you can create an update package for your users to install. You create the update package using the same project you did to create the original package.

Note: If your users replace an existing virtual machine by installing the update package, everything in the virtual machine is replaced. This means any user data and settings stored in the original virtual machine are lost.

In general, when you create an update package, you follow the same steps you do to create a new package.

Using VMware ACE Manager, make any needed changes to the virtual machines. For example, you may want to update software installed in the virtual machines or change the policies applied to the virtual machines. For details, see Creating Projects.
You can update most polices by distributing a package that contains the new policies. However, you should note the following exceptions:
- Reimage virtual machine — You may change this setting at any time, but the change affects only virtual machines that are installed or reinstalled after you make the change. If you distribute a package that contains only policies, changes to this policy have no effect on virtual machines that are already installed. The end user sees no error message, but the updated policy is not applied.
- Encryption and authentication — You may change these settings at any time, but the change can be applied only if you include the virtual machine in the package. You should not distribute a policy-only package that includes changes to encryption and authentication policies. Package installation will fail for the affected virtual machine.
- Recovery key (Project > Settings) — Recovery key changes are not supported in upgrades to existing projects.
If you are using virtual machine versions for network quarantine, be sure to set the correct version number when you apply network quarantine policies to the virtual machine. For details, see Updating Network Quarantine Versions.
Create the package as described in Creating Packages to Deploy to Users.

Note: All packages installed on an end user's computer must come from the same VMware ACE Manager project.

Updating Network Quarantine Versions

If you are using network quarantine versions to control virtual machine access to your network, be sure to update the version numbers when you make changes to the virtual machine.

Changing the version is a two-part process.

Use the policy editor to update the version and store the new settings on the Web server or Active Directory server where you store policy settings.
Run the nq-set command in your copy of the virtual machine so the correct version number is included when you create new packages. For details, see Using nq-set to Update Network Quarantine Versions.

Take the following steps to update the network quarantine version:

Start VMware ACE Manager, open the project and click the name of the virtual machine in the project contents list to show the virtual machine summary.

In the Commands section, click Edit network quarantine policy.
The policy editor opens.

Click the Manage Versions link.
The Manage Versions panel appears.

To add a new version to the list, click Add.
The Add New Version dialog box appears.

You can change the name for the new version of the virtual machine and add a description if you wish.
The dialog box displays the nq-set command needed to update the version number for the virtual machine. You may copy the command from the dialog box and paste it into a text file for later use. You must run this command in your local copy of the virtual machine. And if you are distributing your update using a patch management system or by sending end users an updater that they must run, this command must also be part of the update script run in the end users' guest operating systems. For details on the nq-set command, see Using nq-set to Update Network Quarantine Versions.
Click OK to continue.
The Manage Version panel now shows the new version in the list.

Click and drag the slider at the left of the versions list to specify which versions have normal access and which versions have restricted access. Versions above the red line have normal access, as defined in your network quarantine policies. Versions below the red line have restricted access.
Click Next to continue.
The Messages panel appears.

You may enter a custom message that end users see when the virtual machine has restricted access.
If you select Display message when update is available, enter the message you want end users to see when the the virtual machine has normal access but a more recent version is available.
Click Next to continue.
The Ready to Complete panel appears. If the information in the summary is correct, click Next to continue. Otherwise, use the navigation links on the left to go to the panels where you want to make changes.
The Deploy Policy panel appears.

The options available on the panel depend on the type of network quarantine you are using and whether you are storing your policies on an Active Directory server or on a Web server. Make the appropriate selections, then click Finish.

You have completed the process for updating the network quarantine version stored on your Web server or Active Directory server.

Using nq-set to Update Network Quarantine Versions

When you perform software updates inside the virtual machine, use the nq-set command to update the network quarantine version for the virtual machine. The version number is used to determine which network quarantine policies to apply to the virtual machine if you are using either version-based network quarantine or custom network quarantine.

The nq-set command must be run from within the guest operating system. It is available in the guest operating system after you install the version of VMware Tools provided with VMware ACE Manager.

Note: In this release, you must run the nq-set command in the guest operating system while the virtual machine is running in preview mode or while it is running in VMware ACE on the end user's computer. It does not take effect if you simply run the virtual machine by powering it on within VMware ACE Manager.

Windows guest: The command is

C:\Program Files\vmware\vmware tools\vmwareservice -cmd "nq-set [-n] [new descriptor]"

Enter the entire command on a single line.

Linux guest: The command is

/usr/sbin/vmware-guestd --cmd "nq-set [-n] [new descriptor]"

Enter the entire command on a single line.

In the commands above, -n is an optional flag that instructs the host to verify the validity of the new descriptor but not save it.

Return Values

The exit value of the command is 0 if the descriptor is valid, or 1 if it is invalid.

Sample Usage

If you want to check whether descriptor 0x7B4C2902 is valid, use the optional -n flag, as shown in the following command:

/usr/sbin/vmware-guestd --cmd "nq-set -n 0x7B4C2902"

An exit value of 0 means that the descriptor is valid

To set the descriptor to the value 0xFA542D3F, use the following command:

/usr/sbin/vmware-guestd --cmd "nq-set 0xFA542D3F"

An exit value of 0 means that the descriptor is valid and has been saved.

Custom network quarantine applications can save arbitrary strings by using the
nq-set command. For example, assume that you want to save the following string:

"os=winxp-sp2,ie=6.0,virusdefs=4.0,office=2003-sp1"

You may do so using the following command:

/usr/sbin/vmware-guestd --cmd "nq-set os=winxp- sp2,ie=6.0,virusdefs=4.0,office=2003-sp1"

Enter the entire command on a single line.

An exit value of 0 means that the descriptor is valid and has been saved.

Using nq-set with Version-Based Network Quarantine

Each version update defined in the Network Quarantine Wizard has a network quarantine descriptor associated with it. The Network Quarantine Wizard also displays the command you need to run in the guest operating system to update the descriptor. To view that command, go to the Manage Versions panel in the Network Quarantine Wizard, choose the version you want to check, then click Properties. The command is shown in the field at the bottom of the screen.

You must update the network quarantine descriptor after you apply an update to the guest. Updates must be applied in the order that they were defined.

Note: Your patching mechanism should check whether the nq-set command will succeed before it applies any updates to prevent the user from applying patches out of order and causing the guest patch level to be out of sync with the network quarantine identifier. You can verify whether a nq-set command would succeed by passing the -n flag to the command.

Using nq-set with Custom Network Quarantine

The network quarantine descriptor can store an arbitrary string that describes the patch level of the guest operating system and other software. Your custom plug-in script should verify that arbitrary string, then decide whether to grant the virtual machine normal network access or restricted network access.

For details on writing network quarantine plug-ins, see Network Quarantine Plug-Ins.

Prev Contents Last Next