I was working on a process for keeping Windows VM templates up to date in vSphere. I have seen this done before either by hand, which seems to never meet cadence expectations, and automated fashions with scripts. I have recently been exploring Ansible modules for Windows and decided to give this one a shot using Ansible and the win_updates module.
Have an automated process that converts VM templates to machines, updates VM Tools if required and applies all security, critical updates to template images. The process should monitor the update requirements, reboot the machines if necessary, convert them back to templates as soon as the process is complete and report on the actions performed.
I wrote it on Windows2019 Template with 2vcpu and 8GB RAM and it has worked multiple times without issue. This would need some testing for other platforms and machine instances.
The template OS must be prepared for Ansible or this does not work. This is easily done by running the ConfigureRemotingForAnsible in your template. You will need an Ansible Controller which you will run this playbook and it's tasks from.
DISCLAIMER: This solution has a kind of a "bring your own inventory". Long term you would want to move that template machine and manage it as a host with a standard inventory ini and your templates in a groups perhaps.
You will need..
- Ansible controller with ansible >=2.8 and pywinrm and pyvmomi installed
- vCenter Server with a Datacenter and Templates
- Credentials for vcenter and the guest OS you are updating
This article will not cover the Git, Ansible or Python module installs 🙁
If you need help with the pre-reqs stuff contact me 🙂
This also assumes your template gets network connectivity when it is powered on through some process of DHCP or something.
Once you have all of the pre-reqs met and software installed on the Ansible controller you can pull the repo.
git clone -b master https://github.com/mccbryan3/ansible-vsphere-update-templates.git
mv vars/pb-vars.yaml.example vars/pb-vars.yaml
Edit the file to fit the need of your environment. Leave the ignore. Save it…
Here we run the playbook with verbose mode and template name specified as an extra variable. <TEMPLATENAME> should be replaced with your exact template name.
All of the -vvvvv's are for verbose mode and optional.
ansible-playbook pb.vm_template_updates.yaml -e "template_name=<TEMPLATENAME>" -vvvvv
This was written to plugin tasks for updates so you could add another task and include it like below with some conditionals and do Linux and such.
Here is the repo..
And here is a video of the run with the update wait cut out. This took about 15 minutes total on the 2019 box I wrote it on. Sorry this isn't my best video.