Useful Software

 

Patching

Patching virtual machines is a particularly thorny issue. Often, as in the case of anti-malware software, patches and updates may need to take place as frequently as every hour. The greater the variety of virtual machine images that must be updated the more difficult and time-consuming the task. Thinking about how patch management is usually done (through client agents), how can patches be pushed to virtual machines when they aren't powered on?

All of this patching makes maintaining the gold virtual machine image more difficult. Management overhead increases exponentially with more virtual machine images, more virtual machine instances and more patches. These things happen naturally over time, so eventually an organization must sift through and clean up virtual machine images, decommission some, commission new clones from a patched gold virtual machine image and customize the clones. This is where having a current, easily accessible and comprehensive catalog or inventory of virtual machine images becomes critical.

There is also the issue of management of dormant virtual machine images versus active virtual machine instances. Agents that run on instances and report information back to a central server (like most endpoint software) may neglect to manage images while stored on disk. Maintaining entire virtual machine images is extremely time-consuming. Except for the smallest operations, firing up every virtual machine to update it, scanning it, applying patches and then shutting it down would take man-years.

I reviewed Shavlik NetChk Protect 7 and found it to be a very helpful patch management and anti-malware solution for virtual machine images. During testing, I was able to patch and protect virtual machine images (VMX files) with the same ease as managing a physical machine. Also, it almost goes without saying that VMware vSphere should be considered by any organization trying to manage the deployment, patching and redeployment of virtual machine images.

Inventory is essential

Keeping track of deployed systems and determining which software is installed where has implications for licensing, as most enterprise commercial software is licensed on a per-installation or per-user basis. Software needs to be inventoried before it can be maintained and patched. It's also critical to prevent unauthorized software such as peer-to-peer file sharing from being installed and run to ensure that physical compute resources are used for legitimate business purposes.

There are many inventory control products on the market today from companies such as IBM Tivoli, CA, BigFix and Symantec. In essence, these solutions install an agent on each machine (virtual or physical) that periodically scans the file system and memory, determines what software is installed, and reports back to a central reporting server. Traditional physical solutions require the machine to be powered on and the agent to be running, and many times the scanning is resource-intensive.

A better way is to work with virtual machine image files directly on disk. This is where VMware stands above other virtual machine image management and tracking solutions. VMware vSphere, with add-ons such as Host Profiles, VMware vCenter, VMware vCenter Orchestrator and VMware Update Manager, is an excellent solution for configuration management.

Thinking strategically, integration between the virtual machine, the virtual machine image and storage is going to become tighter and tighter. NetApp, EMC and just about all the other companies in the space are focused on alleviating the pain points around storing and managing virtual machine images on disk. For example, NetApp FlexClone creates a gold virtual machine image from which it can deploy thousands of virtual machine clones directly at the datastore.