Keeping systems up to date is extremely important in the world of infrastructure. This is true from a features/functionality standpoint as well as from a stability and security standpoint. The VMware vSphere environment is no exception to this rule as there are new patches released regularly for both vCenter as well as the VMware ESXi platform. With all the high availability mechanisms provided by VMware vSphere vCenter clusters, there is no compelling reason to stay behind on VMware updates. Let’s take a look at the process of updating your VMware ESXi servers both from Update Manager as well as from the command line.
vCenter Update Manager
VMware update manager allows VMware administrators to have a graphical way through vCenter to be able to keep VMware ESXi up to date with the latest patches. With VMware update manager, you attach baselines to ESXi servers in vCenter, scan the ESXi server based on the baseline you have attached, and then remediate the host based on the scan results. Installing updates via VMware vCenter Update Manager requires the host be placed in maintenance mode. While in maintenance mode the updates will be installed and then a reboot will be triggered by the update manager process.
With VMware vCenter Update Manager in vSphere 6.0 and below, VMware vCenter Update Manager was a component that had to be installed on a Windows Server in the environment. This Windows Server could be the vCenter Server if you were running vCenter using the Windows installation. However, if you had the VCSA appliance running as your vCenter server, you had to have the separate Windows Server in the environment even if you only wanted to run the Update Manager component. The vCenter Update Manager also required that you use the vSphere Windows Client to use the Update Manager plugin.
One of the new and exciting features of the new vSphere 6.5 VCSA appliance is that Update Manager is included in the appliance itself. The requirement to have a separate Windows Server for Update Manager is now gone. Additionally, you can access Update Manager via the web client. This greatly simplifies the configuration to have Update Manager present in your environment. It also reduces the footprint of servers for vCenter and Windows licensing since you no longer need the extra Windows server.
Let’s take a look at how the process of using vCenter Update Manager works in applying updates to a VMware ESXi host in vCenter. Prerequisites here are that you either have a Windows Server with Update Manager installed and registered in vCenter, or you are running the new vSphere VCSA 6.5 appliance.
Click your host and then click the Update Manager tab. Notice under Baseline that we have no baselines assigned.
Click the Attach Baseline button to select the baselines that we wish to attach.
By default, Update Manager has Patch Baselines already defined for you. Notice we have Non-Critical Host Patches and Critical Host Patches. Place a check by each and click OK.
Now, we should see the baselines listed.
The next step is to click Scan for Updates.
We can select either of the baselines or both that we had selected above to be used for the scan.
You will see a task fire off in vCenter with the scan process.
Note below, the host is Compliant which means there were no patches found with the attached baseline. If patches were available, we simply remediate the server which will install the selected patches. We would make sure the host is in maintenance mode and we have evacuated any running VMs on the host.
Applying updates via the command line
What if you don’t have vCenter Server running in your environment? Maybe you only have a standalone ESXi host running a few VMs or maybe in a lab environment. If we don’t have vCenter Server in the environment, we can still keep our ESXi host up to date. To apply updates however, we need to use the command line to pull down the updates and then apply them to our ESXi host.
First, to see Current System Version, use the following command:
- esxcli system version get
To know which profile updates we need to pull down, we need to find our current software profile. To do that use the following command:
- esxcli software profile get
The first thing we need to do to allow the updates to be pulled down on the ESXi host is to allow a couple of firewall exceptions for HTTP traffic. To do that, we use the following command line command:
- esxcli network firewall ruleset set -e true -r httpClient
To look for our version of ESXi if we are running version 6.5, we can utilize the “grep” command to help us narrow down our options.
- esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep ESXi-6.5.0
Before beginning the update process enter maintenance mode on the host. Once you have entered maintenance mode (VMs powered off, etc), then we can apply the updates to the host. We can use PowerCLI to do this via the command line:
- Set-VMHost -VMHost Host -State “Maintenance”
To actually apply an update that is listed in the available updates we use the following command:
- Example: esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-6.5.0-20170404001-standard
Once the update is applied, we simply need to reboot.
- You can issue the command reboot at the ESXi command line
If you want to set the HTTP firewall back, we can do that easily by:
- esxcli network firewall ruleset set -e false -r httpClient
Thoughts
With the security concerns that exist today, there is an urgent need to keep all server-side resources patched. This includes VMware vSphere environments. By using the tools we have available from VMware, we can easily keep ESXi hosts patched to the current patch level. The vCenter Update Manager allows us to use a graphical interface to patch our ESXi servers. If we aren’t running vCenter in our environment, we can use the command line to pull down and apply the latest patches to a standalone ESXi server. So, if you are a VMware administrator, make good use of the tools available to have a secure and stable VMware vSphere environment.
BDRSuite offers cost-effective VMware Backup Solutions to backup and protect VMs on ESXi & vCenter. Backup starts at $1.80 vm/month.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
