Objective 5.6 – Patch and Update ESXi and Virtual Machines

For this objective I used the following documents:

  • Documents listed in the Tools section

Objective 5.6 – Patch and Update ESXi and Virtual Machines

 

**ITEMS IN BOLD ARE TOPICS PULLED FROM THE BLUEPRINT**

 

Knowledge

  • Identify patching requirements for ESXi hosts and virtual machine hardware/tools
    • Patching requirements for ESXi hosts and virtual machine hardware/tools are usually separate, but depending on the update may correspond with virtual machine hardware/tools updates, in which case follow the Orchestrated Datacenter Upgrade methodology described on pages 157-160 of Installing and Administering VMware vSphere Update Manager guide
    • You will need to identify whether the update manager server can download patches directly or, if the network is secure without internet access you may consider using Update Manager Download Server (UMDS)
    • Configuring baselines for your ESXi hosts and virtual machines will allow you to scan your environment and determine which entities are not compliant, and from there remediate (stage/deploy patches)
    • Determine if you have any third party virtual appliances that can be updated via update manager
    • Typically the biggest requirement is to keep your hosts and virtual machine hardware/tools up-to-date with the latest patches; do that with Update Manager

 

  • Create/Edit/Remove a Host Profile from an ESXi host
    • If you have read other objectives in this guide, this section will look familiar; lets start with Creating a Host Profile:

NOTE: Host profiles require Enterprise Plus licensing

    • Creating a Host Profile
        1. Log in to vCenter using the VI Client
        2. Select the View menu > select Management > Host Profiles (or Ctrl + Shift + P)
        3. Right-click in the white area under the Host Profiles folder icon and select Create Profile
        4. You have two option, Create Profile from existing host or Import profile, for this walk-through choose Create Profile from existing host > click Next
        5. Choose which host you want to use as a reference host > click Next
        6. Enter in a Name and a Description for this new Host Profile > click Next
        7. Click Finish
    • Editing a Host Profile
        1. Log in to vCenter using the VI Client
        2. Select the View menu > select Management > Host Profiles (or Ctrl + Shift + P)
        3. Right-click on the host profile you want to edit and select Edit Profile…
        4. From here you can edit the name and description of the host profile, as well as the profile itself and the policies within
        5. Click on any policy and view the configuration and compliance details in the right-pane
        6. Click OK when finished

There are 21 different policies and many more options beneath each policy so I won’t go into them here, but the best way to get to know these policies is by taken a look at a host profile

 

    • Deleting a Host Profile
        1. Log in to vCenter using the VI Client
        2. Select the View menu > select Management > Host Profiles (or Ctrl + Shift + P)
        3. Right-click on the profile you want to delete and select Delete Profile…
        4. Click Yes to confirm deletion

 

  • Attach/Apply a Host Profile to an ESXi host or cluster
    • Attaching a host profile to an ESXi host or a cluster is the same basic procedure
    • Attaching a Host Profile to an ESXi Host or Cluster
        1. Log in to vCenter using the VI Client
        2. Select the View menu > select Management > Host Profiles (or Ctrl + Shift + P)
        3. Right-click on the host profile you want to attach and select Attach Host/Cluster…
        4. Choose the host(s) and/or cluster(s) you want to attach the host profile to in the left-pane > click Attach
        5. Click OK when complete
    • Applying a Host Profile to an ESXi Host – cannot apply directly to a Cluster
        1. Log in to vCenter using the VI Client
        2. Navigate to the Host and Clusters view (View > Inventory > Hosts and Clusters)
        3. From the left pane right-click the host you want to apply the host profile (you must attach a profile before you apply it) > click Host Profile > Apply Profile…
          1. If the host is not in maintenance mode you will get an error telling you that the host must first be in maintenance mode prior to applying the host profile
          2. A screen will show you the list of configuration changes that will be made and any settings requiring user input will be displayed; you must manually enter static values for these fields
          3. Once complete click Finish and take the host out of maintenance mode

 

  • Perform compliance scanning and remediation of an ESXi host using Host Profiles
    • Compliance Scanning and Remediation using Host Profiles
        1. Log in to vCenter using the VI Client
        2. Select the View menu > select Management > Host Profiles (or Ctrl + Shift + P)
        3. In the left pane select the profile you want to check for compliance > click the Hosts and Cluster tab on the right
        4. Select whichever host/cluster you want to check compliance on > click the Check Compliance hyperlink
        5. Once it completes it will see a status under the HostPorfileCompliance column and if non-compliant, details will be displayed in the lower pane letting you know which policies your host/cluster is out of compliance with
        6. If your host/cluster comes up as non-compliant click the Apply Profile… hyperlink (remember the host must be in maintenance mode prior to applying a host profile)
        7. Like procedure above, “Applying a Host Profile…” a screen will show you a list of configuration changes that will be applied to the host you are remediating (these should be the same changes you saw listed in step 5)
        8. Once you are done reviewing the changes and are comfortable with them click Finish
        9. Once it is complete the host/cluster should now show as Compliant

 

  • Install and Configure vCenter Update Manager
    • You can install vCenter Update Manager in a few different configurations.  First and foremost ensure that the hardware, operating system and database you are loading update manager on is supported (pages 21 – 23 of Installing and Administrating VMware vSphere Update Manager)
    • The documentation references three deployment models for update manager:
      • All-in-one model – vCenter, Update Manager and the database all on one server.  Number of servers required = 1
      • Medium deployment model – vCenter and Update Manager on one server, database on another server.  Number of servers required = 2
      • Large deployment model – vCenter on one server with a dedicated database server, Update Manager on its own server with a dedicated database server.  Number of servers required = 4 (recommended when you have more than 1000 virtual machines or 100 hosts
    • Requires a 32bit DSN (except if you’re using SQL 2008 R2 Express)
    • Installing vCenter Update Manager – using SQL 2008 R2 Express and installing on same server as vCenter
        1. Locate your vCenter 5.0 media and mount to vCenter server
        2. Execute autorun.exe to bring up the menu of products on the vCenter 5.0 media
        3. Click on VMware vSphere Update Manager
        4. In the right pane there are two prerequisites listed, Microsoft .NET 3.5 SP1 and Windows Installer 4.5, if you do not have these installed already install them
        5. Once complete click the Install button
        6. Select your language and click OK
        7. Click Next twice
        8. Accept the EULA and click Next
        9. Select whether you want to download updates from a default source after the installation (default option is yes), do not select if you this deployment of Update Manager is air gapped > click Next
        10. Enter in information for the vCenter server you want to link to this instance of Update Manage, it’s 1:1 ; enter IP Address/Name, HTTP Port, Username and Password > click Next
        11. Choose whether to install Microsoft SQL Server 2008 R2 Express or to use an existing supported database, if you choose to use an existing database you’ll need to provide the 32bit DSN > click Next
        12. Choose how you want Update Manager to be identified on the network by making a selection from the dropdown, usually the IP or NETBIOS name
        13. If you wish to change the SOAP Port, Web Port, or SSL Port do so at this screen.  If you have an internet connection and use a proxy, check Yes, I have Internet connection and I want to configure proxy settings now.
        14. If you want to change the default installation paths for the Update Manager installation or the location for downloading patches do so at this screen > click Next – If you have less than 120GB of disk space free you will get a warning and a link to VMwares vSphere Update Manage Sizing Estimator > click OK
        15. Click Instal
        16. Click Finish once the install completes

 

  • Configure patch download options
    • Before you can configure any options for Update Manager the machine you are using to connect to vCenter needs to have the Update Manager  plug-in installed.  Once it is installed it will appear under Solutions and Applications as Update Manager
    • Configure Patch Download Options
        1. Log in to vCenter using the VI Client
        2. Select the View menu > select Solutions and Applications > Update Manager
        3. Click on the Configuration tab
        4. From the Settings menu on the left click the Download Settings hyperlink
        5. First lets define the our download sources.  By default the Direct connection to Internet option is enabled along with four sources
        6. Add a new download source (third-party download source)
          1. Click the Add Download… Source hyperlink
          2. Enter in a Source URL and Description
          3. Click the Validate URL button (clicking OK will also try to validate the URL)
          4. If the URL can’t be validated it will show as Not Connected and a warning will be displayed if you click OK with a non-validated URL letting you know that the source is not valid and asks if you still want to add it to the list
        7. Instead of using the Direct Connect to the Internet option you can choose the Use a shared repository option
          1. Enter in a URL for the shared repository and click Validate URL
        8. Click the Import Patches hyperlink to manually import from a .zip file
        9. Click the Download Now button to download available patches from your listed sources
        10. If you environment requires a proxy server to access the Internet or shared repository enter in the following information as needed
          1. Check the Use Proxy checkbox
          2. Enter in the proxy server name and port
          3. If your proxy server requires authentication check the Proxy requires authentication checkbox and enter in a Username/Password
          4. Click Test Connection to verify you have the correct settings
          5. Click Apply
        11. From the Settings menu on the left click the Download Schedule hyperlink
        12. Choose whether you want to enable/disable a download schedule by checking/unchecking the Enable scheduled download checkbox
        13. Click the Edit Download Schedule… hyperlink
        14. Enter in a Task Name and description
        15. Choose a Frequency (Once, Hourly, Daily, Weekly or Monthly)
        16. Choose a Start Time
        17. Choose the Interval (represented in days) > click  Next
        18. Enter in the email addresses you want to be notified when new patches are downloaded; this requires that vCenter be setup with a working SMTP server > click Next
        19. Click Finish
        20. From the Settings menu on the left click the Notification Check Schedule hyperlink
        21. Choose whether you want to enable/disable scheduled download by checking/unchecking the Enable scheduled download checkbox (this looks the same as download schedule, but these are for notifications)
        22. Click the Edit Notifications… hyperlink
        23. Enter in a Task Name and description
        24. Choose a Frequency (Once, Hourly, Daily, Weekly or Monthly)
        25. Choose a Start Time
        26. Choose the Interval (represented in days) > click  Next
        27. Enter in the email addresses you want to be notified when new patches are downloaded; this requires that vCenter be setup with a working SMTP server > click Next – this will notify you of recalled patches or other alerts
        28. Click Finish

 

  • Create/Edit/Delete an Update Manager baseline
    • Creating an Update Manager Baseline
        1. Log in to vCenter using the VI Client
        2. Select the View menu > select Solutions and Applications > Update Manager
        3. Select the Baselines and Groups tab
          • There are two different views for Baselines, Hosts and VMs/VAs.  There are two pre-defined baselines in the Hosts baseline view; Critical Host Patches and Non-Critical Host Patches.  There are three pre-defined baselines in the VMs/VAs baseline view; VMware Tools Upgrade to Match Host, VM Hardware Upgrade to Match Host and VA Upgrade to Latest
        4. Depending upon what you want to create a baseline for (hosts or VMs/VAs) select the appropriate view, in our case we’ll choose the Hosts view, which is the default
        5. Click the Create… hyperlink
        6. Enter in a Name and Description
        7. Select the Baseline Type from the following
          • Host Baselines – Host Patch, Host Extension and Host Upgrade
          • VA Baselines – VA Upgrade
        8. Click Next
        9. Select the type of baseline
          • Fixed – this a set of patches that are static and manually defined
          • Dynamic – this is a set of patches that updated automatically when new patches are available based on user-defined criteria
        10. After selecting the baseline type (I’m using Dynamic for this) click Next
        11. Select which patch vendors and products you want for the dynamic baseline to update for
        12. Select the Severity (low, moderate, important and critical) and select the Category (any, security, bugfix, enhancement and other)
        13. Select the Release Date criteria; On or After or On or Before or choose both.  After making you selections it will tell you, based on your selected criteria and patches you have already downloaded, how many patches meet your criteria
        14. Click Next
        15. This screen will show you each patch that met your criteria and gives you the option to exclude certain patches.  Click on the patches you want to exclude and click the down arrow to add them to the exclusion list > – click the Advanced button to filter your selection
        16. Click Next
        17. Here you can add additional fixed patches (must already have been imported manually).  Click on the fixed patches you want to include in your dynamic baseline and click the down arrow to add them – click the Advanced button to filter your selection
        18. Click  Next
        19. Click  Finish
    • Editing an Update Manager Baseline
        1. Log in to vCenter using the VI Client
        2. Select the View menu > select Solutions and Applications > Update Manager
        3. Select the Baselines and Groups tab
        4. Click on the baseline you want to modify and click the Edit… hyperlink
        5. All the options available in the Create Baseline wizard are available in this wizard, for a detailed overview see the section on Created an Update Manager Baseline above
        6. Step through the wizard and make changes as needed
        7. Click Finish when complete
    • Deleting an Update Manager Baseline
        1. Log in to vCenter using the VI Client
        2. Select the View menu > select Solutions and Applications > Update Manager
        3. Select the Baselines and Groups tab
        4. Click on the baseline that you want to delete and click the Delete hyperlink
        5. Click Yes to confirm the deletion operation

 

  • Attach an Update Manager baseline to an ESXi host or cluster
    • You can attach a baseline to ESXi host or cluster, as well as the vDatacenter.  This walk-through will take you through attaching a baseline to an ESXi host
    • Attach an Update Manager Baseline to an ESXi Host
        1. Log in to vCenter using the VI Client
        2. Navigate to the Host and Clusters view (View > Inventory > Hosts and Clusters)
        3. Select the host you want to attach an Update Manager baseline to and click the Update Manager tab on the right
        4. Click the Attach… hyperlink at the top right
        5. Select which patch baseline(s) you want to attach > click Attach
        6. The baseline(s) you just attached should now show in the Attached Baselines pane

 

  • Scan and remediate ESXi hosts and virtual machine hardware/tools using Update Manager
    • Before you can scan and remediate an ESXi host you need to have attached a baseline, either pre-defined or manually created.  The operations described below can also be initiated by right-clicking on the ESXi host or Virtual Machine and selecting Scan for Updates and Remediate…
    • Scanning an ESXi host
        1. Log in to vCenter using the VI Client
        2. Navigate to the Host and Clusters view (View > Inventory > Hosts and Clusters)
        3. Select the host you want to scan and click the Update Manager tab on the right
        4. Click the Scan… hyperlink at the top right
        5. Select what you want to scan for (Patches and Extensions and Upgrades)
        6. Click Scan
    • Remediating an ESXi host
        1. Log in to vCenter using the VI Client
        2. Navigate to the Host and Clusters view (View > Inventory > Hosts and Clusters)
        3. Select the host you want to remediate and click the Update Manager tab on the right
        4. Click the Remediate… button at the bottom
        5. Select the Basegroup or Baseline type in the right pane and place a check in the checkbox of the Baseline(s) you want > click Next
        6. Select the Patches and/or extensions you want to apply to this ESXi host > click Next
        7. You will be prompted to schedule this remediation as a task, enter in a Task Name and Description
        8. Under Remediation Time choose when you want to run the task.  Choose Immediately (default) or specify a date and time > click Next
        9. Choose your host maintenance options.  If the patches you selected require the host to go into maintenance mode, choose the power state for the virtual machines on the host  (power off, suspend, do not change)
        10. If you want to retry entering maintenance mode should the first time fail, check the Retry entering maintenance mode in case of failure checkbox and select the Retry delay (in minutes) and Number of retires
        11. Check the Disable any removable media devices connected to the virtual machines on this host checkbox if you want to disconnect removable media
        12. If you want to remediate powered on PXE booted ESXi hosts (auto-deploy) check the Enable patch remediation of powered on PXE booted ESXi hosts checkbox
        13. Click Next
        14. Click Finish

 

  • Stage ESXi host updates
    • Staging patches allows you to send the patches to the ESXi host(s) prior to performing remediation.  This will lessen the total time for remediation and your host(s) being in maintenance mode because the patches will already be available locally to the host(s), therefore not having to wait for the patches to be copied.
    • Stage ESXi Host Updates
        1. Log in to vCenter using the VI Client
        2. Navigate to the Host and Clusters view (View > Inventory > Hosts and Clusters)
        3. Select the host you want to stage patches for and click the Update Manager tab on the right
        4. Click the Stage… button at the bottom (you can also right click on the host and choose Stage Patches… without going to the Update Manager tab)
        5. Select the baseline where the patches you want to stage are located > click Next
        6. Select the patches you want to stage > click Next
        7. Click Finish

Tools

Comments 3

  1. Pingback: VCP5 Study Notes - The world of Marc O'Polo - Blog | The world of Marc O'Polo – Blog

  2. Is VUM able to download and install windows updates on Vsphere 5.5 ??

    I thought it is not, so what is the alternative to update windows machines with all the updates if the internet is turned off for those vm’s ??

    1. Post
      Author

      As of vSphere 5.0 VUM does not download or install guest operating system patches.

      You could use SCCM (if you have the product) or WSUS for your windows patches. If you were running WSUS on a server/VM that had access to the Internet and had access to the same network that the Internet isolated VMs were running on, then you could have the one box download the patches and then push those out to the VMs without access to the Internet.

      Check out WSUS here http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx

      -Josh

Leave a Reply to Josh Coen Cancel reply

Your email address will not be published. Required fields are marked *

*