Forem: giulio Savini

Build and deploy the latest open-vm-tools from source with Ansible and Docker

giulio Savini — Sat, 02 May 2026 11:21:51 +0000

Build and deploy the latest open-vm-tools from source with Ansible and Docker

If you run Linux VMs on VMware, you've probably hit this: your distro ships an open-vm-tools version that's 1-2 years behind upstream. That matters when you need guest OS compatibility fixes for newer ESXi, VMCI socket support, or CVE patches your distro hasn't backported yet.

I built an Ansible role that solves this: vmware-tools-builder — it compiles the latest open-vm-tools inside isolated Docker containers, produces clean .deb/.rpm packages, and deploys them across your entire fleet.

Why not just use the distro package?

	Distro package	This role
Version	Months/years behind	Always latest upstream
VMCI socket support	Often missing	Compiled in
CVE patches	Depends on distro backport	Upstream fix on release
Multi-distro	One at a time	Ubuntu, Debian, RHEL, Rocky, Fedora

How it works

The build runs inside Docker containers — one per distro — so your Ansible controller stays clean. No build dependencies polluting your system.

cd containers

# Build for all supported distros
./build-all.sh

# Single distro
./build-all.sh --target rocky9

# Pin a specific upstream version
./build-all.sh --version 12.5.0

Output: .deb and .rpm packages in output/, automatically copied to files/ where Ansible picks them up.

Deploy with Ansible

Install from Galaxy:

ansible-galaxy install giuliosavini.vmware_tools_builder

Write your inventory:

[debian]
srv-web01  ansible_host=10.0.0.1
srv-web02  ansible_host=10.0.0.2

[rhel]
srv-app01  ansible_host=10.0.0.10

[all:vars]
ansible_user=root

Run the playbook:

ansible-playbook -i inventory.ini playbook.yml

Smart deployment logic

The role handles three scenarios automatically — no conditional vars needed:

Current state	Action
No open-vm-tools installed	Fresh install
Distro `open-vm-tools` present	Remove it, install custom build
Previous custom build present	In-place upgrade

For each host the role runs: preflight → deploy → post-install → diagnose → verify. If vmtoolsd fails to start, it collects logs and attempts automatic recovery before reporting failure.

Supported platforms

Distro	Build	Deploy
Ubuntu 22.04+	Docker container	Ansible (apt)
Debian 12+	Docker container	Ansible (apt)
RHEL / Rocky / Alma 9	Docker container	Ansible (yum)
RHEL / Rocky / Alma 8	Docker container	Ansible (yum)
Fedora	Docker container	Ansible (yum)
SUSE / openSUSE	—	Ansible (zypper)

Example playbook

- name: Deploy custom open-vm-tools
  hosts: all
  become: true
  gather_facts: true
  roles:
    - role: giuliosavini.vmware_tools_builder
      vmtools_remove_standard: true
      vmtools_diagnose_on_failure: true

Requirements

Docker on the build host (just for compiling packages)
Ansible 2.12+ on the controller
SSH access to target machines

That's it. No special build deps, no polluted environments.

If you manage VMware infrastructure and are tired of outdated guest tools, give it a try. The role is on Ansible Galaxy and the source is on GitHub.

→ github.com/GiulioSavini/vmware-tools-builder

→ galaxy.ansible.com/giuliosavini/vmware_tools_builder

How I built a production-ready Wazuh SIEM on Docker (with custom rules for VMware, AWS and GCP)

giulio Savini — Sat, 02 May 2026 11:21:25 +0000

How I built a production-ready Wazuh SIEM on Docker (with custom rules for VMware, AWS and GCP)

Most Wazuh tutorials stop at "here's how to spin up the containers." That's fine for a demo, but getting it to actually monitor your infrastructure — with meaningful alerts, automated agent deployment, and cloud integrations — is a different story.

I spent a few weeks assembling everything into a single repo: wazuh-docker-monitoring-platform. Here's what it includes and why I built each piece.

The problem with most Wazuh setups

Out of the box, Wazuh gives you generic Linux alerts. Useful, but noisy. What I needed was:

Detection rules tuned for Docker container abuse (privileged runs, suspicious mounts, crypto-mining)
VMware vCenter monitoring — snapshot abuse, vMotion events, auth brute force
AWS CloudTrail and GCP Audit Log anomalies mapped to Wazuh rules
A way to deploy agents at scale without SSHing into 30 machines one by one
Something that works in both a lab (4GB RAM) and production

What the stack looks like

┌─────────────────────────────────┐
│  Wazuh Manager  :1514 / :55000  │
│  Wazuh Indexer  :9200           │
│  Wazuh Dashboard :5601          │
│  NGINX (optional reverse proxy) │
└─────────────────────────────────┘
         ↑ agents on port 1514
Linux servers · Windows servers · Docker hosts · vCenter
         ↑ log forwarding
AWS CloudTrail (S3) · GCP Pub/Sub

Everything runs via docker compose. There's also a docker-compose.lab.yml overlay that cuts resource usage for testing.

Custom detection rules

This is the part I'm most proud of. The rules/ directory has rules for:

Docker (rules/docker/)

Container exec events
Privileged container creation
Host namespace abuse (--pid=host, --network=host)
Suspicious bind mounts (/etc, /var/run/docker.sock)
Crypto-mining signatures

VMware (rules/vmware/)

VM power state changes
Snapshot creation/deletion (ransomware indicator)
Host disconnect events
vCenter login brute force

AWS (rules/aws/)

IAM policy changes
Security group opened to 0.0.0.0/0
Console login without MFA
CloudTrail disabled or deleted

GCP (rules/gcp/)

Public bucket created
Firewall rule opened to 0.0.0.0/0
IAM policy changes
Compute instance created outside allowed regions

Ansible agent deployment

Instead of deploying agents manually, the repo includes Ansible playbooks that handle everything:

# Deploy to all Linux hosts in inventory
ansible-playbook -i inventories/production playbooks/deploy-linux-agent.yml

# Windows too (via WinRM)
ansible-playbook -i inventories/production playbooks/deploy-windows-agent.yml

There's also a network discovery script that scans a subnet, generates an Ansible inventory, and feeds it straight into the deployment pipeline:

make onboard SUBNET=10.0.0.0/24

One command: scan → discover → deploy agents → verify.

Getting started

git clone https://github.com/GiulioSavini/wazuh-docker-monitoring-platform.git
cd wazuh-docker-monitoring-platform

make preflight        # validate Docker, kernel params, disk, ports
cp .env.example .env  # set your passwords
make init             # generate TLS certs
make deploy           # bring up the stack

Dashboard is at https://localhost:5601 in a few minutes.

Lab vs production mode

Running this on a homelab with limited RAM? Use the lab overlay:

docker compose -f docker-compose.yml -f docker-compose.lab.yml up -d

It reduces the Wazuh Indexer heap and manager memory limits to fit on a 8GB machine.

What's next

The repo roadmap includes:

Wazuh cluster mode (multi-node manager)
Kubernetes Helm chart
SOAR integration (Shuffle / TheHive)
Sigma rule auto-import
Automated compliance dashboards (PCI-DSS, CIS)

If you're running VMware, Docker, or any cloud infrastructure and want proper security visibility without paying for a commercial SIEM, give it a try. PRs and rule contributions welcome.

→ github.com/GiulioSavini/wazuh-docker-monitoring-platform