vCenter / vSphere — machine inventory
In on-premise data centers the king of virtualization is still VMware vSphere. Hundreds of virtual machines live on ESXi hosts managed by vCenter. Inventorying this fleet is one of the main tasks of the ZEUS on-prem connector.
vSphere architecture
| Component | Role |
|---|---|
| ESXi | the hypervisor — bare metal on which VMs run |
| vCenter Server | central management of multiple ESXi hosts |
| Cluster | a group of hosts with HA and DRS (load balancing) |
| Datastore | storage for VM files (VMDK) |
| Resource Pool | a logical partition of CPU/RAM resources |
vCenter is the point that every inventory tool connects to — a single endpoint instead of connecting to each host separately.
Inventory via the API (pyVmomi)
VMware exposes the vSphere API; in Python you use the pyVmomi library. An example of listing all VMs:
from pyVim.connect import SmartConnect, Disconnect
from pyVmomi import vim
import ssl
ctx = ssl._create_unverified_context() # w prod: poprawny certyfikat!
si = SmartConnect(host="vcenter.corp.firma.pl",
user="svc-zeus@vsphere.local",
pwd="<haslo>", sslContext=ctx)
content = si.RetrieveContent()
view = content.viewManager.CreateContainerView(
content.rootFolder, [vim.VirtualMachine], True)
for vm in view.view:
s = vm.summary
print(s.config.name, s.runtime.powerState,
s.config.guestFullName, s.config.numCpu)
Disconnect(si)
Tip: the
svc-zeusaccount should have the Read-only role in vCenter, assigned at the root folder level with inheritance. Full visibility, zero ability to modify.
What we inventory and why
For each VM we collect, among other things:
- the name, power state, guest operating system,
- resources (vCPU, RAM, disks) and datastore,
- the state of VMware Tools (outdated Tools = no telemetry),
- assigned networks (port groups, VLANs).
This lets us answer security questions: which VMs are powered on and unattended, which run unsupported OSes, where current Tools are missing.
Hardening ESXi hosts
Independently of the VM inventory, it is worth remembering to harden the hosts themselves: Lockdown Mode, the ESXi Shell/SSH disabled outside servicing, current patches and restricted access to the management interface.
How ZEUS sees it
Through the vSphere API (pyVmomi) and a read-only account, ZEUS inventories the entire VM fleet and the ESXi hosts. It combines this data with the rest of the environment picture — on-prem machines land in the same inventory as cloud resources, giving one coherent view. ZEUS flags VMs with an outdated OS, host hardening disabled, or missing current VMware Tools. The mechanics of the connection (reverse-SSH tunnel) are in lesson 06.
In the next lesson: WinRM and managing the Windows fleet.