Patching Offline VMware Machines

Shavlik's NetChk Protect 6.5 lets IT administrators patch offline VMware virtual machines. Though NetChk Protect 6.5 is focused only on Microsoft Windows and VMware environments, Shavlik's products offers IT administrators a way to save time and effort updating offline virtual machines.

Patch deployment to virtual and physical systems just got a lot easier with the Sept. 2 release of Shavlik NetChk Protect 6.5.

With the ability to deploy patches to offline VMware virtual machines, IT managers can now be confident that VMs that are only used occasionally will spin up with the most current patches, hot fixes and service packs.

NetChk Pro 6.5 is focused on the Microsoft Windows/VMware environment, which is counter to the hypervisor cross-platform I'd like to see in a product that receives an eWEEK Labs Analyst Choice award. Even with this significant lack, IT managers should put Shavlik's NetChk Pro 6.5 at the very top of any security strategy plan for the labor- and time-saving advantages that come from the ability to automatically and consistently apply updates to offline VMs that are otherwise quite difficult to keep up-to-date.

In December 2007, Shavlik integrated some of its patch management technology into VMware Update Manager. Both VMware Update and Shavlik NetChk Protect can scan and patch the online and offline ESX Server images. NetChk Protect can also scan VMware Workstation and VMware Server images. Company officials said that VMs created with Microsoft Hyper-V and Citrix XenServer are coming in the future.

A Shavlik NetChk Protect license costs a one-time license fee of $75 per server and $35 per workstation, plus 25 percent maintenance per year at quantity 100.

The basic mechanics of working with offline VMs involved placing the machines into a special offline group in the NetChk console. I then scheduled scans of these offline systems using the NetChk console. NetChk uses the VMware mount utility to load the image on a temporary drive on the NetChk console system. Registry settings are also temporarily accessed at the same time. The patches and the NetChk scheduler are copied to the offline image. When the VM is powered on, the first job that runs is the NetChk update.

In my tests, the NetChk scheduler worked as described; updates that were scheduled in the future were not executed until the correct date. Updates that were scheduled for immediate deployment executed as soon as the VM image was powered on.

It was simple to add virtual images to the offline scan machine group using the NetChk Protect. Because I tested NetChk Protect in a VMware infrastructure environment using ESX Servers managed by VirtualCenter 2.5 (see review here), I browsed to my VirtualCenter system and then to the ESX server and selected my virtual images.

This first version of Shavlik's offline scanning and patching tool isn't without some blemishes. Importantly, virtual images that are members of the offline machine group are not scanned with offline policies when they are running. They are scanned as part of the traditional scan process that is normally used to manager patching for running systems. In practical terms, this meant that I got "machine not scanned" messages when normally offline images were part of a scan job, which could be construed as errors by IT operations staff.

Additional funniness was encountered in the UI, including a message that patch databases were being updated from Shavlik's secure site even when the product was configured to run in disconnected mode. As well, virtual machines that were online during initial scanning but then were taken offline and subsequently scanned were still assigned the "connected" icon in status monitoring screens, which again caused me some confusion during testing and will likely confuse IT staff.

There is a long list of offline virtual configurations that are not supported by NetChk Protect. Dual boot systems, no encrypted virtual disks, no virtual images that have associated .VMDK (Virtual Machine Disk) files that are compressed or encrypted, and linked clones, template images and compressed images are not supported. This long list of exceptions didn't cause a problem for my "consolidate as many guests onto one host as simply and efficiently as possible" test bed.

Many views

Also new in NetChk Protect are two important administrative updates that significantly improve how IT administrators can manage patching. A "machine-centric" view has been added so that scanning, patching and status information about individual systems has been added. As well, role-based administration was added to make it easier to restrict IT staff authority to only those machines (physical and virtual) for which they are responsible.

I used the machine-centric view a lot during my testing. For IT staff that have used NetChk Protect in the past, this feature will likely get a lot of oohs and ahhs. Digging down to a single system in machine view will likely save significant amounts of time in daily operations as IT staff look at patch exceptions on individual systems.

Role-based administration fundamentally means that patch management can be devolved to lower level staff. While NetChk Protect isn't the simplest product in the world to master, more junior IT staff can be more safely brought into the still rather arcane field of patch management by giving them restricted access to a small number of less important machines. As they become more adept at the art and science of keeping systems up-to-date, it's easy enough to expand their role through the NetChk Protect UI.

eWEEK Labs Technical Director Cameron Sturdevant can be reached at