Powershell - Usage Wiki - PowerCLI, remote Veeam Backups

Tags: #<Tag:0x00007f07d225cbb0> #<Tag:0x00007f07d225cae8> #<Tag:0x00007f07d225c9d0> #<Tag:0x00007f07d225c908> #<Tag:0x00007f07d225c840> #<Tag:0x00007f07d225c750> #<Tag:0x00007f07d225c660>

Powershell is not cmd.exe

cmd.exe alias Command Prompt is a rudimentary black window with an antique scripting language. Powershell doesn’t have much to do with it.

Powershell occupies an interesting space as the Perl-Bash-Text style scripting language to administer services like VMware ESXi, Microsoft Exchange, Windows Group Policies… Enterprise stuff.

Basics - quick and hands on

Paste something like that into Windows Powershell ISE:

echo $PSVersionTable.PSVersion
PS C:\Users\Meme> $PSVersionTable.PSVersion

Major  Minor  Build  Revision
-----  -----  -----  --------
4      0      -1     -1      

So the output is structured. With Powershell, you don’t need GNU tools like sed or awk. I still tend to use grep, but actually you don’t need to.

PS C:\Users\Meme> echo $PSVersionTable.PSVersion | Export-CSV -Path "version.csv" -Delimiter ";"

PS C:\Users\Meme> Get-Content .\version.csv
#TYPE System.Version
"Major";"Minor";"Build";"Revision";"MajorRevision";"MinorRevision"
"4";"0";"-1";"-1";"-1";"-1"

In other words: getting a CSV output is straight forward for most commands I have seen

Let’s print the first column.

PS C:\Users\Meme> Import-Csv -Delimiter ";" -Path .\version.csv | select "Major" 

Major                                                                                                                                                                    
-----                                                                                                                                                                    
4       

You can just handle output directly with these commands. These commands do not look hacky, don’t need RegEx and are simple.

To be clear: you can use .Net RegEx, and there are tons of libraries. A major difference to ZSH or Bash is, that you aren’t forced to fall back to such means.

ESXi PowerCLI

Get all IPs of the guests

You can get all IPs of all guests on the ESXi / VSphere server (after you follow the manual and register your system).

PowerCLI C:\> Get-VM |  select Name,@{N="IP Address";E={@($_.guest.IPAddress[0])
}}

Name                                    IP Address
----                                    ----------
pfsense_gateway                         1.2.3.4
c_filer                                 192.168.1.X
c_syncer
Win16_Backup_Console                    10.42.42.X

For this to work, you need the open-vm-tools to be installed. For a couple of years, these are the VMware Tools.

Connect to the guest consoles

You can connect to the console via VMRC:

PowerCLI C:\> Get-VM "Win16_Backup_Console" | Open-VMConsoleWindow

This will open the guest console via the local VMRC application, which uses a WebSocket connection to tunnel VNC.

You can create snapshots

If you run …

New-Snapshot -VM "Win16_Backup_Console" -Name "Patch_Tuesdat_CW_22"

… you will get a snapshot. With this snapshot, you can revert to a stare before the changes in case there are issues with a patch. You should check out the parameters. Asynchronous snapshots or memory snapshots can be valuable to help to debug and analyze issues.

Veeam PowerShell - backups

This is a good opportunity to quickly get into WinRM and Powershell.

In this example, I have the guest Win16_Backup_Console within the 10.42.42.0 / 24 network. It’s reachable from a Windows client via a VPN.

Powershell Client Server - is Powershell remoting like SSH?

Enable PS-remoteing on the server

This server is in a private network. It’s a lab box. For Powershell Remoting to work, prepare the server. WinRM needs to work:

PS C:\Users\Administrator> Get-Service winrm

Status   Name               DisplayName
------   ----               -----------
Running  winrm              Windows Remote Management (WS-Manag...

Next step: define a trusted host and restart the service.

PS C:\Users\Administrator> winrm s winrm/config/client '@{TrustedHosts="Jump-PC"}'
Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
        Basic = true
        Digest = true
        Kerberos = true
        Negotiate = true
        Certificate = true
        CredSSP = false
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    TrustedHosts = Jump-PC

And restart…

cd $HOME
PS C:\Users\Administrator> winrm quickconfig
WinRM service is already running on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Configure LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Configured LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.

And we enable PSRemoting and set a generic firewall exception:

PS C:\> Enable-PSRemoting -SkipNetworkProfileCheck -Force
PS C:\> Set-NetFirewallRule -Name "WINRM-HTTP-In-TCP-PUBLIC" -RemoteAddress Any

Okay. Server prepped. – Quick question: is this secure? – Quick answer: nope. In production setups, the RemoteAddress would be the jump host. You’d also have proper network profiles. This, however, is for a lab only.

Note that many people do not use SSL / HTTPS for Powershell Remoting. It’s complex to do because you need to take of the PKI as well. That’s another bullet point for a production system here.

  • SSL for WinRM
  • Authentication methods
  • Host firewall settings
  • Jump host concept
  • Account and Role management

Jee… I thought I just get SSH for Windows. Sadly not.

Prepare the client

On the client I run:

PS C:\Users\Meme> Test-WSMan 10.42.42.X

wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor   : Microsoft Corporation
ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0

That performs a connectivity and protocol availability check. Now lot’s log in remotely:

cd $HOME
PS C:\Users\Meme> Enter-PSSession -ComputerName 10.42.42.X -Authentication Negotiate -Credential Administrator

There will be a popup that asks for the password. And yes: use a different user. Because security…

Veeam PSSnapin

[10.42.42.X]: PS C:\Users\Administrator> Add-PSSnapin VeeamPSSnapin
[10.42.42.X]: PS C:\Users\Administrator> Get-VBRServer

Info               : 192.168.1.8 (Linux Host)
ParentId           : 00000000-0000-0000-0000-000000000000
Id                 : 
Name               : 192.168.1.X
Reference          : 
Description        : Created by WIN-XYZ\Administrator at 6/14/2017 3:44 PM.
IsUnavailable      : True
Type               : Linux
ApiVersion         : Unknown
PhysHostId         : ABC123
ProxyServicesCreds : 

Info               : 1.2.3.4 (VMware ESXi Server)
ParentId           : 
Id                 : 
Name               : 1.2.3.4
Reference          : ha-host
Description        : Created by WIN\Administrator at 6/13/2017 2:37 PM.
IsUnavailable      : False
Type               : ESXi
ApiVersion         : V65
PhysHostId         : 
ProxyServicesCreds : 
Quick summary
  • We introduced Powershell Remoting. It’s not good but works somehow. It’s complex. Not like SSH.
  • We checked for Veeam Backup’s PSSnapin. It’s okay.

Cool. Now make a backup. These jobs can run weekly, for example. Veeam can push the backups to the remote server (NFS, SFTP…) and simply store a copy of a VM outside of the server.

More on that later. Now, as you saw I covertly introduced Powershell Remoting. The plan is to use this with Ansible: to get Ansible Tower to regularly kick the backup job, and push the Veeam backup file to an external host. You can also use Puppet… or just Unix style cron daemons. That’s beside the point. WinRM enables remote commands, for Windows - Windows style. That enables automation.
The next iteration of that is to have automated-restore tests, with file verification and functionality tests. Working backups, cheer up everyone.

Posh-SSH - anyone everyone someone

Posh-SSH brings SSH to Powershell. You need to install it like the Readme of the Github repo suggests. It’s a one-liner.

PS C:\Users\Meme> New-SSHSession -ComputerName ssh.info -Credential {Get-Credential}
PS C:\Users\Meme> Invoke-SSHCommand -Index 0 -Command "uname -a"

That also has got SFTP support. To move files… you know :slight_smile: