How SELinux screws with scripts when run over VMware Tools

SELinux by default prohibits certain things from working through VMware tools (Ansible connection or plain API).

This can be solved two ways:

  • Disabling SELinux: BAD, but easy
  • Writing a custom SELinux policy: complicated but more secure

Note: Adding/Changing this policy through a VMware tools connection is thankfully possible

Example policy

This policy is the base for a VMware tools policy and allows entering the rpm context (yum).

module custom-vmtools 1.0;

require {
        type rpm_script_t;
        type vmtools_unconfined_t;
        class process transition;
}

#============= vmtools_unconfined_t ==============

allow vmtools_unconfined_t rpm_script_t:process transition

Vmware Tools Copy Files

Docs

Copy To Guest

$vm = Get-VM -Name TEST
Get-Item "X:\yourfile.txt" | Copy-VMGuestFile -Destination "c:\temp" -VM $vm -LocalToGuest -GuestUser "Administrator" -GuestPassword "Pa$$w0rd"

Copy From Guest

$vm = Get-VM -Name TEST
Copy-VMGuestFile -Source c:\yourfile.txt -Destination c:\temp\ -VM $vm -GuestToLocal -GuestUser "Administrator" -GuestPassword "Pa$$w0rd"

Ansible VMware Connection Plugin & Become

When using VMware as the connection plugin to connect to remote hosts you commonly set two facts for username and password: ansible_vmware_tools_user: "mkamner" ansible_vmare_tools_password: "Super Secret PW" This will work just fine for windows and with many tasks on linux. However, if you want to use become: true on linux it will fail with the strangest error messages. For example: apt will fail, because it can’t acquire the lock file [Read More]

vCenter Cert Bundle

Errors connecting to vCenter or any ESXi server in the cluster without certificate errors?

  • Get CA cert from the vCenter: wget https://{{ YOUR VCENTER }}/certs/download.zip --no-check-certificate
  • Install where required

VMware KB