VMWare Tools Upgrade Breaks Script With Invoke-VMScript and Pass-through Credentials
Recently I upgraded a VCenter test cluster to 6.7 Update 3 and hit an issue with running Invoke-VMScript command.
I was working on and made some changes to a VM deployment script that is constantly in development and decided that the updated test cluster would be a great place to test those changes as there were no other VMs on it and I had just matched it as close to production as possible. I ran the script as normal and it completed the basic deployment of the VM fine. Unfortunately during post deployment configuration I got an error with my Invoke-VMScript command that stated "Could not locate "Powershell" script interpreter in any of the expected locations.".
This error seemed off to me as I have ran it on the production cluster countless times before with no problem. At first I assumed maybe there was an issue with my template but I converted it to a VM and tested the command successfully. Next I decided to test out just the Invoke-VMScript command against the VM and received the same error. After quite a few more unsuccessful tests I finally determined I needed to add the "-GuestCredential" option. The question I had to answer now was why would I have to provide a guest credential now when those credentials had previously always been passed through.
Now I had to go through the script step-by-step and determine where the breakdown occurred. First I checked my template by converting it to a VM and the Invoke-VMScript command worked as it should. Then I discovered that right before the command is ran I had it set to upgrade VMWare Tools if they were outdated. In VCenter 6.7U3 it came with VMWare Tools 10.3.10 which had recently been released an had not been deployed with any of my VMs yet. To test out my theory that the tools upgrade must be breaking it I manually deployed a new VM ran the command and everything worked fine and then I upgraded the tools to 10.3.10 and I received the same error. I was able to get passed the error using the "-GuestCredential" option again.
Thinking maybe VMWare broke something during the upgrade I opened a support case. Unfortunately the response I received was not what I was hoping for but did correct a security issue so I can't be too upset about it and is as followed.
"Kindly be informed this normal behavior because VMware tools 10.3.10 solved security issues.
VMware Tools lower than 10.3.10. The official designation from VMware is VMSA-2019-0009<https://www.vmware.com/security/advisories/VMSA-2019-0009.html> on the VMware Security Advisories page<https://www.vmware.com/security/advisories.html> .
This vulnerability is classified as “important” which, according to the Security Response Policy<https://www.vmware.com/support/policies/security_response.html>."
So to get past the error for now I updated my script to prompt for the credentials to be entered and looks something like this.
I was working on and made some changes to a VM deployment script that is constantly in development and decided that the updated test cluster would be a great place to test those changes as there were no other VMs on it and I had just matched it as close to production as possible. I ran the script as normal and it completed the basic deployment of the VM fine. Unfortunately during post deployment configuration I got an error with my Invoke-VMScript command that stated "Could not locate "Powershell" script interpreter in any of the expected locations.".
This error seemed off to me as I have ran it on the production cluster countless times before with no problem. At first I assumed maybe there was an issue with my template but I converted it to a VM and tested the command successfully. Next I decided to test out just the Invoke-VMScript command against the VM and received the same error. After quite a few more unsuccessful tests I finally determined I needed to add the "-GuestCredential" option. The question I had to answer now was why would I have to provide a guest credential now when those credentials had previously always been passed through.
Now I had to go through the script step-by-step and determine where the breakdown occurred. First I checked my template by converting it to a VM and the Invoke-VMScript command worked as it should. Then I discovered that right before the command is ran I had it set to upgrade VMWare Tools if they were outdated. In VCenter 6.7U3 it came with VMWare Tools 10.3.10 which had recently been released an had not been deployed with any of my VMs yet. To test out my theory that the tools upgrade must be breaking it I manually deployed a new VM ran the command and everything worked fine and then I upgraded the tools to 10.3.10 and I received the same error. I was able to get passed the error using the "-GuestCredential" option again.
Thinking maybe VMWare broke something during the upgrade I opened a support case. Unfortunately the response I received was not what I was hoping for but did correct a security issue so I can't be too upset about it and is as followed.
"Kindly be informed this normal behavior because VMware tools 10.3.10 solved security issues.
VMware Tools lower than 10.3.10. The official designation from VMware is VMSA-2019-0009<https://www.vmware.com/security/advisories/VMSA-2019-0009.html> on the VMware Security Advisories page<https://www.vmware.com/security/advisories.html> .
This vulnerability is classified as “important” which, according to the Security Response Policy<https://www.vmware.com/support/policies/security_response.html>."
So to get past the error for now I updated my script to prompt for the credentials to be entered and looks something like this.
Comments
Post a Comment