August 13, 2008, 5:55 PM — I mentioned in my last blog that it would be handy to get a copy of all the VMs datafiles as they contain memory files.
The best way to preserve these files is to power off the VM as if you were pulling the plug on the VM. There are several ways to accomplish this task.
The first is to pull the power on the entire ESX server. Not always desirable but it is done from time to time.
The other more appropriate way is to kill the process running the VM, however that is quite a bit of trouble. You are first required to find the VMID of the VM and then to find its parent VMID and finally kill the VM within the vmkernel. This is achieved by doing:
VMID=`/usr/bin/vm-support -x | grep VMName|awk '{print $1}'|awk -F= '{print $2}`
KVMID=`cat /proc/vmware/vm/$VMID/cpu/status |awk '{print $1}'|grep -v group|awk -F\. '{print $2}'`
/usr/lib/vmware/bin/vmkload_app -k 19 $KVMID
These steps will kill the VM while maintaining a copy of the virtual swap file. If the VM had to swap to disk, the data is now there for you to use in your investigations.
However, it is always best to remember that this file is not always used.
