You are on page 1of 48

ESX Server 3 Patch Management

Guide
ESX Server 3.5

ESX Server 3 Patch Management Guide

ESX Server 3 Patch Management Guide


Revision: 20071129

You can find the most up-to-date technical documentation on our Web site at
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com

2007 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242,
6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022,
6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481,
7,149,843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999,
7,278,030, 7,281,102, and 7,290,253; patents pending.
VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks or
trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names
mentioned herein may be trademarks of their respective companies.

VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2

VMware, Inc.

Contents

AboutThisBook

ManagingPatchesforESX Server3.5Hosts 7
IntroductiontoPatchProcessing 7
AboutPatches 8
AboutPatchRepositoriesandPatchDepots 10
Aboutextractingbundle.zipfiles 10
Aboutextractingrollup.zipfiles 11
AbouttheesxupdateUtility 12
AboutBundleDependencies 13
AboutScanningforApplicableBundles 14
SampleOutput:scanCommand 15
SampleOutput:--explain scanCommand 16
AboutInstallingBundlesandRollups 16
PatchMaintenanceStrategy 18
AboutCustomizingYourPatchProcess 18
ManagingPatches 19
SettingupPatchDepots 19
MaintainingPatchDepots 21
DownloadingandExtractingPatchFiles 22
ScanningforApplicableBundles 22
UsingaWildcard(*)toScanMultipleBundles 23
RetrievingBundleInformation 24
SampleOutput:queryCommand 25
SampleOutput:infoCommand 26
VerifyingDiskSpace 27
RunningaTestInstall 27
InstallingBundlesonanESX Server3.5Host 29
UsingaWildcard(*)toInstallMultipleBundles 30
VerifyingBundleInstallations 31
OmittingRPMsfromtheInstallation 31
ReinstallingBundles 32

VMware, Inc.

ESX Server 3 Patch Management Guide

ReferenceInformation 33
esxupdateOptionsandCommands 33
esxupdateOptions 33
esxupdateCommands 36
esxupdateExitCodesandErrorMessages 37
VMwareReleaseTerminology 41
AboutMajorReleases 41
AboutMinorReleases 42
AboutMaintenanceReleases 42
AboutUpdateReleases 42
ESX ServerPatchManagementTools 42
AboutVMwareUpdateManager 43
AboutVMwareInfrastructureUpdate 43
AboutvihostupdateRemoteCLI 43
FrequentlyAskedQuestions 43
InstallationChecklist 44

Index 45

VMware, Inc.

About This Book

Thisbook,ESXServer3PatchManagementGuide,providesbackgroundinformationon
processingpatchesforESXServer3.5hostsanddescribeshowtousetheesxupdate
utilitytoapplysoftwareupdatesandtotracksoftwareinstalledonESXServer3.5hosts.
ThisbookprovidesinformationspecifictoESXServer3.5hostsandtheesxupdate
utility.Itdoesnotdiscussthefollowing:

HowtopatchESXServer3.5hostsautomaticallywiththeVMwareUpdateService
andtheVMwareUpdateManager.Forinformationonthesetools,seeESX Server
PatchManagementToolsonpage 42.

HowtopatchESXServer3ihostswiththevihostupdateremotecommandline
interface(remoteCLI).Forinformationonvihostupdate,seeESX ServerPatch
ManagementToolsonpage 42.

HowtopatchESXServersreleasedpriortoversion3.5.Forinformationonthis
process,seethePatchManagementforESXServerstechnote.

HowtoupgradeESXServerhosts.Forinformationonupgrading,seetheUpgrade
Guide.ForalistofVMwarereleasedefinitions,seeVMwareRelease
Terminologyonpage 41.

NOTEYoumusthaveavalidVMwareproductlicensetodownloadVMwarepatches.

Intended Audience
ThismanualisintendedforanyonewhoneedstomanuallyapplypatchestoESX
Server3.5hosts.Theinformationinthismanualiswrittenforsystemadministrators
whomanageESXServersbyusingaserviceconsole.

VMware, Inc.

ESX Server 3 Patch Management Guide

Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhave
comments,sendyourfeedbackto:
docfeedback@vmware.com

VMware Infrastructure Documentation


TheVMwareInfrastructuredocumentationconsistsofthecombinedVirtualCenterand
ESXServerdocumentationset.

Technical Support and Education Resources


Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.You
canaccessthemostcurrentversionsofthismanualandotherbooksbygoingto:
http://www.vmware.com/support/pubs

Online and Telephone Support


Useonlinesupporttosubmittechnicalsupportrequests,viewyourproductand
contractinformation,andregisteryourproducts.Goto
http://www.vmware.com/support.
Customerswithappropriatesupportcontractsshouldusetelephonesupportforthe
fastestresponseonpriority1issues.Goto
http://www.vmware.com/support/phone_support.html.

Support Offerings
FindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds.Goto
http://www.vmware.com/support/services.

VMware Education Services


VMwarecoursesofferextensivehandsonlabs,casestudyexamples,andcourse
materialsdesignedtobeusedasonthejobreferencetools.Formoreinformationabout
VMwareEducationServices,gotohttp://mylearn1.vmware.com/mgrreg/index.cfm.

VMware, Inc.

Managing Patches for ESX Server


3.5 Hosts

Introduction to Patch Processing


VMwarepatchesforESX Server3.5hostsarelocatedattheVMwareInfrastructure
DownloadCenter(http://www.vmware.com/download/vi).Patchesarenamed
accordingtotheirproduct,version,releasedate,andpatchclassification,andarevalid
onlyforaparticularESX Serverversion.Forexample,youcannotapplyanESX Server
3.0.2patchtoanESX Server3.5host.FormoreinformationontheVMwarerelease
terminologyandpatchnamingconvention,seeAboutPatchesonpage 8.
EachESXServer3.5versionhasacontents.zipfile,whichisalsolocatedattheVMware
InfrastructureDownloadCenter.Thisfilecontainsasecurelistofallpatchesreleased
foraspecificESX Serverversion,andisvitaltothepatchingprocess.Thepatching
utilityusesittoauthenticatedownloadedpatchesandtohandledependencyissues.
Formoreinformationonthecontentsfile,seeAboutPatchRepositoriesandPatch
Depotsonpage 10.
EachVMwarepatchispackagedasa.zipfilethatcontainseitherabundleorarollup.
AbundleisasetofmetadatafilesandRPMpackagesforaspecificfixorupdatetoan
ESX Server3.5host.Arollupisanaggregatebundle,orsuperbundle,thatgroups
togetherasetofsinglebundles.Rollupsprovideyouwithaconvenientwayto
downloadandinstallmultiplebundlesatonetime.VMwaresuggestsyoupatchyour
ESX Server3.5hostsbydownloadingrollupsandinstallingthebundlesnecessaryfor
yourenvironment.Thisensuresthatallbundletobundledependenciescanbe
handledduringinstallation.

VMware, Inc.

ESX Server 3 Patch Management Guide

Eachrollupcontainsallbundlesreleasedfromthelatestmaintenanceorupdate
release.Forexample,VMwaremayreleasethefollowing,inorder:

Maintenancerelease.

5individualbundles,releasedovertime.

1rollup,whichpackagesthe5bundlesreleasedsincethemaintenancerelease.

5individualbundles,releasedovertime.

1rollup,whichpackagesthe10bundlesreleasedsincethemaintenancerelease.

Updaterelease.

5individualbundles,releasedovertime.

1rollup,whichpackagesthe5bundlesreleasedsincetheupdaterelease.

Forinformationonreleaseterminology,seeVMwareReleaseTerminologyon
page 41.Forinformationonhowtoinstallrollupsandindividualbundles,see
InstallingBundlesonanESX Server3.5Hostonpage 29.

About Patches
Softwarepatchesprovideimmediatefixesforoneormoresecurityfixesorcriticalfixes
foraspecificareaoftheproduct.Forinformationaboutaspecificpatch,gotothe
VMwareInfrastructureDownloadCenterathttp://www.vmware.com/download/vi.
ESX Server3.5patchesusethefollowingnamingconvention:
<ProductName><VersionNumber>-<BundleID>-<Classification><SupportLevel>

Where:

ProductNameisESXorESXe.ESXdenotesESX Server 3andESXedenotes

ESX Server 3i Embedded.

VersionNumberistheESX Serverversion,forexample,3.5.0.

BundleIDisauniqueIDcomprisedoftheyearandmonththebundlewasreleased
anda3digituniqueID.ItisintheformatYYYYMM###.Forexample,thefirst
patchreleasedinJanuary2008mighthaveaBundleIDof200801001.

Classification isoneof:

BBug
Bugpatchesfixminorflawsthataffectproductfunctionalityorbehavior.Bug
patchesareoptional.Beforeyouapplythem,determinewhethertheyare
necessaryforyourenvironment.

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

UUpdate
Updatepatchescancontainnewdriverupdatesandsmallnonintrusive
enhancements.Updatepatchesareoptional.Beforeyouapplythem,
determinewhethertheyarenecessaryforyourinstallation.

SSecurity
Securitypatchesfixoneormorepotentialsecurityvulnerabilitiesinthe
product.Theyshouldbeimplementedimmediatelytopreventthe
vulnerabilitiesfrombeingexploited.

RRollup
RolluppatchescontainanynumberofbundlesforESX Server3.5hosts.They
cancontainbugpatches,updatepatches,andsecuritypatches.Theydonot
containupgradebundlesforminorreleasesorupdatebundlesfor
maintenancereleases.

SupportLevelisoneof:

GGAPatch
GApatchesarereleasedtoallcustomersandhavebeenthoroughlytested.
TheycontainfixesforESX Server3softwareissues.

HHotPatch
Hotpatchesarereleasedtospecificcustomersforsolvingcriticalproblems
specifictotheirenvironment.Theycontainfixesforsecurityissuesor
problemsthatcanpotentiallycausedatalossorsevereservicedisruptions.
Hotpatchesshouldbeimplementedimmediately.

DDebuggingPatch
DebuggingpatchesarereleasedtoallcustomersandareusedbyVMwareto
troubleshootcomplexproductissues.Theycancontaindebugmessagesand
code,anddrivers.DebuggingpatchesusuallyrequireVMwareassistanceto
install.

CCustomPatch
Custompatchesarespecialfixesprovidedtoacustomer.Theyareusually
specifictocustomersenvironment,andaremostlikelynotrequiredby
customersnotreportingtheissue.Custompatcheshavebeentestedinthe
customersenvironment.

VMware, Inc.

ESX Server 3 Patch Management Guide

Forexample,thebundleESX350-200801123-SH.zip isforESX Server3.5,released


inJanuary2008.Itcontainsasecurityfix(S)providedasahotpatch(H).Forinformation
onESX Server 3ipatchnaming,seetheESX Server 3iSetupGuide.
Patchesdonothaveinstallationwizards.Youinstallthemwithapatchupdatetool.The
patchupdatetoolforESXServer3.5hostsisesxupdate.Forinformationaboutpatch
updatetoolsforotherESXServerversions,SeeESX ServerPatchManagementTools
onpage 42.

About Patch Repositories and Patch Depots


ApatchrepositoryisadirectoryyousetuptocontaintheESX Serverpatchesand
contentsfileyoudownloadfromVMware,Inc.IfyouhavemultipleESX Server3.5
hostsinyourenvironment,VMwarerecommendsyoucreateyourpatchrepositoryon
alocalsystemthatactsasanHTTPorFTPserveroronanNFSsharesoallhostscan
sharethesamerepository.
NOTEIfyouhaveonlyoneESX Server3.5hostinyourenvironment,youcancreate
therepositoryonthatsystem;however,VMwaredoesnotrecommenditbecausethe
rootpartitionhaslimitedstorage.
Afteryousetupupapatchrepository,youcreatedepots,whicharedirectoriesinto
whichyouextractthecontentsandpatch.zipfiles.Youcancreateanynumberof
depotsinyourrepository.Forexample,ifyourenvironmentiscomprisedofESXServer
3.0.1hosts,ESXServer3.5hosts,andESXServer3ihosts,youshouldcreateaseparate
depotforeachversion.
Thepatchmaintenanceutility,esxupdate,usesthedepottodeterminewhichbundles
areapplicabletoyourESX Server3.5hostandtoinstallmultiplebundlesatonetime.

About extracting bundle.zip files


Whenyouextractabundleintoadepot,afolderiscreatedwiththebundleIDand
containsthefollowingelements:

10

Acontents.xmlfileforthebundle,whichcontainsareferencetothebundles
descriptor.xmlfileandalistofeveryRPMpackageanditsassociatedsignature.

Acontents.xml.sigfile,whichisadetachedGPGsignatureofthecontentsfile.
Thisisusedtovalidatethecontentsfileforintegrity.

Adescriptor.xmlfile,whichcontainsinformationaboutabundle,includinga
summaryofthefix,dependencydetails,andRPMdetails.esxupdateusesthe
descriptorfiletodeterminehowtohandlebundleorsystemdependenciesandto
determinewhichbundlesandRPMsareapplicabletothehostsystem.

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

TheRPMsoftwarepackages.

Adirectoryfortheheaderfiles.

About extracting roll-up.zip files


Whenyouextractarollupintothedepot,thefollowingitemsareaddedtothedepot:

Afolderfortherollupbundle,namedwiththerollupID,containinga
contents.xml,contents.xml.sig,anddescriptor.xmlfilefortherollup.

Afolderforeachindividualbundleintherollup,namedwiththebundleID.Each
bundlefoldercontainsadescriptorfile,acontentsfile,acontentssignaturefile,
andtheRPMsoftwarepackages.

Forexample,sayyouhaveadepotnamedESX350.Youdownloadandextractthe
contents.zipfileandarollupESX350-Rollup-01.zip.Iftherollupcontains2
bundles,ESX350-200801001-BG,andESX350-200801002-BG,thedepotwill
containthreefoldersonefortherollupandoneforeachbundle:
/VMware_Patches <----Patch repository
/ESX350 <----Depot
contents.xml
contents.xml.sig
/ESX350-200801003-RG <----Roll-up folder
contents.xml
contents.xml.sig
descriptor.xml
/ESX350-200801001-BG <----Bundle folder
contents.xml
contents.xml.sig
descriptor.xml
headers/
VMware-esx-vmkernel-3.5.0-65312.i386.rpm
/ESX350-200801002-BG <----Bundle folder
contents.xml
contents.xml.sig
descriptor.xml
headers/
VMware-esx-apps-3.5.0-65312.i386.rpm

Formoreinformationonbundledependencies,seeAboutBundleDependencieson
page 13.Forinformationoncreatingpatchdepots,seeSettingupPatchDepotson
page 19.

VMware, Inc.

11

ESX Server 3 Patch Management Guide

About the esxupdate Utility


Youusethepatchmaintenanceutility,esxupdate,toretrieveinformationabout
VMwarebundles,totrackinstalledsoftware,andtoapplysoftwarepackagesto
ESX Server3.5hosts.Yourunesxupdatefromtheserviceconsolewhileyouarelogged
ontoanESX Server3.5hostasuserroot.Youcanrunonlyoneinstanceatatimeon
thesameESX Server3.5host.
Arecordofeachinstalledbundleiswrittentothe/etc/vmware/patchdbdirectoryon
thehost.TherecordincludesthebundleID,theinstallationtime,theRPMsinstalled,
andotherdetails.Thisdirectoryactsasapatchdatabaseandisusedbyesxupdateto
querythepatchesinstalledonthehost.
CAUTIONThisdirectoryisreadonly.Ifyouchangethecontents,whenesxupdate
performsanintegritycheck,itwillfailforthechangedfiles.Insuchcases,esxupdate
exitswithanIntegrityErrormessage.Formoreinformation,seeesxupdateExitCodes
andErrorMessagesonpage 37.
ForESX Server3.5hosts,therearefourbasicmodesofesxupdate:Inspectionmode,scan
mode,testmode,andupdatemode.

Inspectionmodequeriesyoursystemforbundlesandbundledetails.Therearetwo
commandsyouusetoretrievebundleinformation:esxupdatequeryand
esxupdateinfo.

Usetheesxupdatequerycommandtodisplayalistofbundlesinstalledon
ESX Server3.5host.Theoutputliststhebundlesinascendinginstallation
order,andincludesthebundlename,installationdate,anda40character
summaryofthebundle.Bundlesthathavebeensupersededbyanother
bundle,andthereforeobsolete,arenotlisted.

Usetheesxupdateinfocommandtodisplayinformationthecontentsofone
ormorebundles.Theoutputincludesthebundlename,releasedate,and
detailsaboutthemetadatafiles,includingtheRPMpackagesthathavebeen
installed,removed,orupgradedonanESX Server3.5host.Theinfocommand
alsoreturnsinformationaboutRPMpackagesnothandledbyesxupdate,such
asthosethathaveversionsnotdefinedbyVMware.Thisallowsyoutotrack
RPMpackagesthatwereinstalledbythirdpartyagents.
Youcanusetheinfocommandforbothinstalledanduninstalledbundles.
Formoreinformation,seeRetrievingBundleInformationonpage 24.

12

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

ScanmodedetermineswhichbundlesareapplicabletotheESX Server3.5hostby
queryingthebundlesinadepotandthebundlesinstalledonthehostforbundle
andsystemdependencies.Usetheesxupdatescancommandbeforeyouinstall
bundlestoseewhichoneshavedependenciesandwhichonesareapplicabletothe
host.Formoreinformation,seeAboutScanningforApplicableBundleson
page 14.

Testmodeenablesesxupdatetogothroughallinstallationoperationswithout
installingthespecifiedbundles.Itdownloadstheappropriatefiles,preloadsthe
esxupdatedepotcacheforHTTPandFTPservers,checksforbundleandsystem
dependencies,anddeterminesthebundleorderandRPMstobeinstalled.Itdoes
notcheckforRPMconflictsordependencies.Formoreinformation,seeRunning
aTestInstallonpage 27.

UpdatemodeinstallsbundlesonESX Server3.5hosts.Usetheesxupdateupdate
commandtoinstallindividualbundlesandrollups.Updatemodescansthedepot
fordependenciesandhandlesthem,ifpossible,beforeinstalling.Formore
information,seeInstallingBundlesonanESX Server3.5Hostonpage 29.

Forinformationonesxupdatesyntaxandcommands,seeesxupdateOptionsand
Commandsonpage 33

About Bundle Dependencies


Thedescriptorfileforeachbundlecontainsadependenciessectionthatdefines
bundledependenciesandsystemstatedependenciesforeachbundle.esxupdateuses
thisfilewhenyouupdateanESX Server3.5host.
Bundledependenciesincludebundlesthatarerequiredbythebundle,obsoletedbythe
bundle,orinconflictwiththebundle.Thesystemstatedependenciesincludewhether
asystemreboot,ahostdrestart,ormaintenancemodeforvirtualmachinesisrequired
forabundle.Inaddition,esxupdatechecksthatthebundleisforthecorrectversionof
theESX Server3.5andthatthereisenoughdiskspacetoperformtheinstallation.
Ifesxupdatecanresolvealldependencies,itinstallsallrequiredbundles.
NOTEIfarebootisrequiredinthemiddleofamultibundleinstallation(forexample,
ifaspecificbundlerequiresanotherbundletoalreadybeinstalled),esxupdatewill
rebootthehostautomaticallyifyoudidnotspecifythe--norebootoption.Afterthe
hostisbackonline,youcanrerunthesameesxupdatecommandtocompletethe
installationprocess.Forinformationonthe--norebootoption,see--norebooton
page 34.

VMware, Inc.

13

ESX Server 3 Patch Management Guide

Ifesxupdatecantresolvealldependencies,itexitswithoutperformingtheinstallation.
Insuchcases,youmustmanuallyresolvethedependenciesbeforerunningtheupdate
again.Forexample,ifabundlerequiresthatvirtualmachinesmustbeinmaintenance
modeandtheyarepoweredon,youmustpowerthemoffbeforeupdatingthehost.For
alistofdependencyflags,seeAboutScanningforApplicableBundlesonpage 14.
Formoreinformationondependencychecking,seeAboutScanningforApplicable
Bundlesonpage 14.

About Scanning for Applicable Bundles


TodeterminewhichbundlesinyourdepotareapplicabletoyourESX Server3.5host,
usetheesxupdatescancommand.Thiscommandvalidatesallpatchsignaturesand
checkseachbundleforreleasespecificdependencies,obsoletebundledependencies,
andsystemstatedependenciestodeterminewhatpatchestoinstallandinwhatorder.
Ifyouareperformingamultibundleinstallation,youcanusethiscommandtoseehow
theesxupdateupdatecommandwillprocessbundleswhenyouperformtheinstall.
Inaddition,youcanusetheapplicabilityflags(AppFlgs)andinstallflags(iFlgs)
returnedbythescantohelpyoucheckforerrorsinthedepotandtoanalyzetheamount
ofsystemdowntimeisrequiredtocompletetheinstallation.
Whenyouscanadepot,thefollowinginformationisreturnedintheconsolewindow
foreachbundle:

ThebundleID.

Whetherthebundleismissingfromthedepotorisnotapplicable.Insuchcases,
thebundleisdisplayedwithoneofthefollowingapplicabilityflags:
Table 1. ScanCommandApplicabilityFlags

14

AppFlgs

Description

Thebundleisalreadyinstalled.

Arequiredbundlewasreturnedbythescanselectionandwillbe
installed.

Arequiredbundleisnotinthedepotandmustbeinstalled.Download
thebundlesoitcanbeinstalled.

Thereisaconflictbetweenbundles.Ifthespecifiedbundleconflicts
withaninstalledbundle,itcannotbeinstalledwithoutremovingthe
installedbundle.Ifthespecifiedbundleconflictswithanotherbundle,
removingtheotherbundlefromthebundleselectionwillallowthis
bundletobeinstalled.

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

Table 1. ScanCommandApplicabilityFlags (Continued)


AppFlgs

Description

Thebundlehasbeenobsoletedbyanotherbundleintheselectionand
doesnotneedtobeinstalled.Notethatesxupdatehandlesobsolete
bundles;youdonotneedtoremovethemmanually.

Oneormorefilesorsignaturescouldnotbevalidated.Thisindicates
anunauthenticatedbundle.

ThisbundlerequirestheESX Server3.5hosttobeinmaintenance
mode,andatleaseonevirtualmachineispoweredon.

Toretrievethereasonwhyabundleisnotapplicable,runthescancommandwith
the--explainoption.

Abriefsummaryofthebundle.

Oneofthefollowinghostinstallationflags(iFlag):
Table 2. ScanCommandInstallationFlags
iFlag

Description

Rebootrequired.

Maintenancemoderequired.

Hostagentrestartrequired.

Ifesxupdatecanhandlealldependenciesanddoesnotfindanyconflicts,itcaninstall
thepatchesincludedinthescan.Ifconflictsexist,theyarelistedintheAppFlags
columnofthescanoutput.Foranexample,seeSampleOutput:scanCommandon
page 15.

Sample Output: scan Command


Thefollowingexampleshowstheinformationreturnedfromanesxupdate scan
commandonadepot.Noticethedepotcontainsabugfixbundle(BG),asecurityfix
bundle(SG),andtworollupbundles(RG).
- Bundle Name -

AppFlags

--- Summary ---

iFlags

ESX350-200801030-BG

---c----

Patch for VM crashes and timeouts

-mh

ESX350-200804044-SG

---c----

Console OS security fix

-mh

ESX350-200801115-RG

----o---

A roll-up for January 2008

--h

ESX350-200811190-RG

--------

A roll-up for November 2008

--h

VMware, Inc.

15

ESX Server 3 Patch Management Guide

Ifthescanreturnsconflictsordependencyproblems(AppFlags)andyouwantmore
information,runthescancommandwiththe--explainoption.Foranexample,see
SampleOutput:--explain scanCommandonpage 16.

Sample Output: --explain scan Command


Thefollowingexampleshowstheinformationreturnedwhenyouruntheesxupdate
--explain scancommandonadepot.
- Bundle Name -

AppFlags

--- Summary ---

iFlags

ESX350-200801030-BG

---c----

Patch for VM crashes and timeouts

-mh

[ESX350-200801030-BG] conflicts with ESX350-200804044-SG. Only one may be


installed.
ESX350-200804044-SG

---c----

Console OS security fix

-mh

[ESX350-200804044-SG] conflicts with ESX350-200701630-BG. Only one may be


installed.
ESX350-200801115-RG

----o---

A roll-up for January 2008

--h

[ESX350-200801115-RG] superseded by [ESX350-200811110-RG].


ESX350-200811190-RG

--------

A roll-up for November 2008

--h

Forinformationonscanningadepotfordependencies,seeScanningforApplicable
Bundlesonpage 22.

About Installing Bundles and Roll-ups


Youusetheesxupdateupdatecommandtoinstallbundlesandrollups.Youcaninstall
anynumberofbundlesatonetimeaslongastheyresideinthesamedepotandall
dependenciesarehandled.Wheninstallingbundles,keepinmindthefollowing
esxupdatebehavior:

16

IfyoudonotspecifybundleIDstoinstall,esxupdateinstallsallapplicablebundles
inthedepot.

IfyouspecifyoneormorebundleIDstoinstall,thefollowingcanhappen:

Ifnodependenciesexist,esxupdateinstallsonlythosebundles.

Ifdependenciesexistandaspecifiedbundlerequiresoneormoreunspecified
bundlestoalsobeinstalled,esxupdateinstallstheunspecifiedbundlesalong
withthespecifiedbundles.

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

IfyouspecifyarollupIDtoinstall,esxupdateinstallsallbundlespackagedinthat
rollupandignoresallotherbundlesandrollupsinthedepot.

Toensureyouhaveadequatediskspacefortheinstallation,thehostsystemshould
havethefollowingspaceavailable:

Aminimumof24MBforthe/tmpand/boot directories.

Aminimumof50MBforthe/rootdirectory.

Ingeneral,twicethesizeofthedownloadedbundles.

Beforeyouinstallbundlesorrollups,scanthedepottomakesurethereareno
bundletobundledependenciesthatcannotbehandled.Forexample,ifyouare
installingasinglebundle,anditisdependentonanotherbundlebeinginstalled,make
surebothbundlesareinthedepot.Iftheyarenot,esxupdatecannotproceedwiththe
installation.
Duringtheinstallationprocess,esxupdatevalidateseachbundlebyusingasetof
signaturekeys.Thebundle.zipfiles,contents.zipfiles,andallfilesinabundle
containVMwaresignaturekeys.Ifapatchcontainsamissingorinvalidsignature,
esxupdatedoesnotconsiderthebundleforinstallation.
Aftervalidatingthebundles,esxupdateperformsthefollowingtasksduringtheinstall:

Checksforsoftwaredependenciesandprerequisites,forexampleifthebundleis
thecorrectESX Serverversion,ifvirtualmachinesarepoweredoff,andsoforth.

CheckstheintegrityofthemetadatafilesandRPMsineachbundle.

Orderstheapplicablebundlesaccordingtotheirdependenciesandreleasedate.

Checksforadequatediskspace.

RemovesobsoleteRPMsfromtheESX Server3.5host.

InstallstheRPMs.RPMsinstalledalreadyorsupersededbyanewerinstalled
versionarenotinstalled.

Ifnecessary,performssystemstaterequirementssuchasasystemrebootorhostd
restart.

Duringtheinstallation,ifanesxupdatepatchisavailable,theutilitywillupdateitself.
Iftheinitrdanddriverconfigurationsrequirechanges,thechangesaremadeafterall
bundlesareinstalled.
Forinformationoninstallingbundles,seeInstallingBundlesonanESX Server3.5
Hostonpage 29.Forinformationoncheckingforpatchdependencies,seeAbout
ScanningforApplicableBundlesonpage 14.

VMware, Inc.

17

ESX Server 3 Patch Management Guide

Patch Maintenance Strategy


UsethefollowingguidelinestomanagepatchingforyourESX Server3.5hosts.

Keepyourenvironmentascurrentaspossible.Determinewhetherabundleis
necessaryforyourenvironmentandapplythosebundles.Minimizethechangeto
yoursoftwareenvironmentwheneverpossible.Formoreinformationon
determiningbundleapplicability,seeAboutScanningforApplicableBundleson
page 14.

Analyzetheriskfactorofapplyingthebundle.Forexample,assessthevirtual
machineandESX Server3.5hostdowntimerequirements.Thescancommand
providesagoodwaytoanalyzerisksandserverdowntime.

Downloadandinstallrollupsratherthanindividualbundles.Thissavesyou
downloadtimeandensures,whendependenciesexist,thatyourdepotcontainsall
necessarybundles.Inaddition,alwaysdownloadthecurrentcontents.zipfile
whenyoudownloadbundlesorrollups.

Foramultihostenvironment,setuppatchdepotsonacentralizedserver
accessiblebyallESX Serverhosts.CreateaseparatedepotforeachESX Server
versioninyourenvironment.YoucanputdepotsonanESX Serverhost;however,
VMwaredoesnotrecommendit.Formoreinformation,seeAboutPatch
RepositoriesandPatchDepotsonpage 10.

About Customizing Your Patch Process


Youcanwritecustomscriptstoautomateyourpatchprocess.Forexample,youcan
createacronjobtoperiodicallydownloadrollupstoadepotandwriteascripttoscan
thedepotforapplicablebundlesandinstallallatonetime.Ifduringthescanoperation,
esxupdatefindsabundlethatrequiresvirtualmachinestobepoweredoff,youcan
writeascriptthatputsthemintomaintenancemode.
IfyouwrotecustomscriptstoautomatetheESX Server3.0patchprocess,youmust
updatethemtoworkwithESX Server3.5.Specifically,upgradeyourscriptstousethe
esxupdate-doptiontopointtothedepotandtoinstallmultiplebundlesatonetime.
NOTEYoucanstillusethe-r optionwiththeinfoandupdatecommands;however,
dependencieswillnotberesolved.

18

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

Managing Patches
Theproceduresinthissectiondescribehowtosetupyourpatchenvironmentand
installbundlesonyourESX Server3.5hosts.

SettingupPatchDepotsonpage 19.

DownloadingandExtractingPatchFilesonpage 22.

ScanningforApplicableBundlesonpage 22.

RetrievingBundleInformationonpage 24.

VerifyingDiskSpaceonpage 27.

RunningaTestInstallonpage 27.

VerifyingBundleInstallationsonpage 31.

OmittingRPMsfromtheInstallationonpage 31.

ReinstallingBundlesonpage 32.

Setting up Patch Depots


VMwaresuggestsyousetuppatchdepotsonanHTTPserver,FTPserver,oranNFS
sharesystem.ThisallowsyoutoupdateyourESX Server3.5hostsfromonecentral
locationsoyouonlyhavetodownloadandextractpatchesonetimeforallESXServer
hosts.
To set up an HTTP Depot
YoucancreateapatchdepotonanApacheHTTPServeroraMicrosoftInternet
InformationServer(IIS).ThefollowingexampleshowshowtosetupanApacheHTTP
Serverasapatchdepot.
1

Setupthepatchrepository.
a

SettheApacheDocumentRoot directivetothedirectoryfromwhichhttpd
willservefiles.Forexample:
DocumentRoot "/var/www/html"

Defineadepotdirectory.Forexample:
<Directory /var/www/html/esx35>
Options +Indexes
</Directory>

VMware, Inc.

19

ESX Server 3 Patch Management Guide

RestarttheApacheservice.

NOTEIfyoudonotchangedirectoriestothedepotdirectorywhenyourunesxupdate,
youmustspecifytheHTTPdirectoryinthecommand.Forexample:
esxupdate -d http://<HTTP_Server_Hostname>/<Depot_Directory>

To set up an FTP Depot


1

Setupthepatchrepository.
a

CreatethedirectoryfromwhichtheFTPserverwillprovidethefiles.For
example:
/var/updates

Createadepotdirectory.Forexample:
/var/updates/esx35

NOTEIfyoudonotchangedirectoriestothedepotdirectorywhenyourunesxupdate,
youmustspecifytheFTPdirectoryinthecommand.Forexample:
esxupdate -d ftp://<FTP_Server_Hostname>/<Depot_Directory>

To set up an NFS Share Depot


1

Setupthepatchrepository.
a

CreateadirectoryfromwhichtheNFSserverwillprovidethefiles.For
example:
/var/updates

Openthe/etc/exportsfileandaddthedirectorypathasreadonly(ro).For
example:
/var/updates *(ro)

Createadepotdirectory.Forexample:
/var/updates/esx35

d
2

RestarttheNFSservice.

UsethemountcommandtomaketheNFSshareavailabletoeachESX Server3.5
host.

NOTEIfyoudonotchangedirectoriestothedepotdirectorywhenyourunesxupdate,
youmustspecifythedepotNFSSharedirectoryinthecommand.Forexample:
esxupdate -d file:///<NFS_Share_Hostname>/<Depot_Directory>

20

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

Maintaining Patch Depots


Clearthecontentsofyourdepotsperiodicallytocontrolthediskspaceusage.This
includesdeletingbundlesthathavealreadybeeninstalledandclearingthedepot
cache.
Asaruleofthumb,donotdeletethebundlesinadepotuntilyouhaveinstalledall
bundlesuptoacertainreleasedate.Thisallowsesxupdatetocompletelycheckfor
bundledependencies.Forexample,ifyouinstallbundlesinarollup,donotdelete
themuntilyouinstallallbundleswithinthatrollup.Deletingsomebundlesbeforeyou
installallofthemmaycorruptyourdepot.
IfyouuseanFTPorHTTPserverforyourdepot,bundleandcontentsfilesarecached
onanESX Server3.5hosteverytimenewbundlesareinstalled.Itisnotnecessaryto
clearthecacheeverytimeyouinstallabundle;however,checkthecachesize
periodicallytomakesureitismanageable.SeeToclearthedepotcacheonpage 21.
(IfyourdepotisonanNFSshare,thisprocedureisnotnecessary.)
To clear the depot cache
1

LogintotheserviceconsoleontheESX Server3.5hostasuserroot.
NOTEIfyoudonothavedirectaccesstotheESX Server3.5host,connectremotely
totheserviceconsoleusingssh.

Enterthefollowingcommandtocheckthespoolusage:
du -sh /var/spool/esxupdate

Enterthefollowingcommandtocheckthediskspace:
df -l

Checkthecachesizeand,ifnecessary,clearthecachebyrunningtheesxupdate
scan commandwiththeflushcacheoption:
esxupdate -d <DepotURL> --flushcache scan

Formoreinformationonthe -flushcachecommand,see--flushcacheon
page 34.

VMware, Inc.

21

ESX Server 3 Patch Management Guide

Downloading and Extracting Patch Files


NOTEIfyouextractarollupintoadepotthatcontainsapreviousrollup,thefile
extractionutilitywillrecognizethefilesthatarethesameandaskyoutooverwrite
themorskipthem.Youcanchooseeitheraction;theresultisthesameanddoesnot
corruptthedepot.
To download patch .zip files
1

Ifnecessary,setupapatchdepot.SeeSettingupPatchDepotsonpage 19.

GototheVMwareInfrastructure3.5DownloadCenter
(http://vmware.com/download/vi)anddownloadthepatch.zipfilesandthe
latestcontents.zip file.

Useafileextractionutilitytoextractthe.zipfilestothedepot.

Forinformationonthedepotdirectorystructure,seeAboutPatchRepositoriesand
PatchDepotsonpage 10.

Scanning for Applicable Bundles


YouscanbundlesinadepottodetermineiftheyareapplicabletotheESX Server3.5
hostandiftheyhaveanydependencies.Duringthescanprocess,esxupdatechecks
eachbundleforintegrity,applicability,anddependencies.Theresultsarereturnedto
theserviceconsoleforeachbundle.
To scan for applicable bundles
1

LogintotheserviceconsoleontheESX Server3.5hostasuserroot.
NOTEIfyoudonothavedirectaccesstotheESX Server3.5host,connectremotely
totheserviceconsoleusingssh.

IfthedepotisnotontheESX Server3.5host,typethefollowingcommandto
enableanoutgoingconnectionfortheserviceconsole:
esxcfg-firewall --AllowOutgoing

Runtheesxupdatescancommand.
NOTEYoudonotneedtospecifythe-d<depotURL>optioninthecommandif
youarerunningesxupdatefromthedepotdirectory.

22

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

Toscanallbundlesinadepot:
esxupdate -d <depotURL> scan

Toscanspecificbundlesinadepot:
esxupdate -d <depotURL> -b <bundleID1> -b <bundleID2> scan

Ifyouaredoneaccessingthedepot,resettheserviceconsolefirewalltohigh
security:
esxcfg-firewall --blockOutgoing

Forinformationonscanning,seeAboutScanningforApplicableBundlesonpage 14.
Forinformationonesxupdatesyntaxandcommands,seeesxupdate scanon
page 37.
To retrieve information about the scan results
Ifthescanoutputcontainsoneormorebundleswithconflictsorbundledependency
issues,runthescancommandwiththe--explainoptiontoretrievedetailsaboutthe
issue.
NOTEYoudonotneedtospecifythe-d<depotURL>optioninthefollowing
commandsifyouarerunningesxupdatefromthedepotdirectory.

Toretrievedetailsaboutallbundlesinadepot:
esxupdate -d <DepotURL> --explain scan

Toretrievedetailsaboutspecificbundlesinadepot:
esxupdate -d <DepotURL> -b <BundleID> -b <BundleID> --explain scan

Forasampleoutputofthe--explainoption,seeSampleOutput:--explain scan
Commandonpage 16.

Using a Wildcard (*) to Scan Multiple Bundles


Youcanrunthescancommandwithawildcard(*)tospecifymultiplebundlesthat
haveasimilarenamorbundletrait.Thewildcardactsasasubstituteforanycharacters
inthebundlename.Forexample,youcanscanbundlesbasedontheirbundle
classificationorsupportlevel..ThefollowingcommandretrievesalistofallESX Server
3.5bundleswithasecurity(S)classificationandgeneralavailability(G)supportlevel:
esxupdate -d <depotURL> -b *SG scan

ForinformationontheVMwarebundlenamingconvention,seeAboutPatcheson
page 8.Forinformationonesxupdatesyntaxandcommands,seeesxupdate scan
onpage 37.

VMware, Inc.

23

ESX Server 3 Patch Management Guide

Retrieving Bundle Information


ToretrieveinformationaboutbundlesandRPMpackages,usetheesxupdatequery
andesxupdateinfocommands.
To retrieve information about installed bundles
1

Fromtheserviceconsole,logontotheESX Server3.5hostasuserroot.
NOTEIfyoudonothavedirectaccesstotheESX Server3.5host,connectremotely
totheserviceconsoleusingssh.

Runtheesxupdatequeryorinfocommand.

Toretrieveabriefsummaryofallinstalledbundles:
esxupdate query

Thiscommandlistsallinstalledbundlesinascendinginstallationorderand
includestheinstallationdateandabriefsummaryforeachbundle.Obsolete
bundlesarenotlisted.

Toretrievedetailedinformationaboutinstalledbundles,includingRPMs:
esxupdate -l query

NOTEYoudonotneedtospecifythe-d<depotURL>optioninthefollowing
commandsifyouarerunningesxupdatefromthedepotdirectory.

Toretrieveasummaryaboutbundlesreturnedbythequery:
esxupdate info <bundleID1> <bundleID2>

Toretrievedetailedinformationaboutbundlesreturnedbythequery,
includingRPMdetails:
esxupdate -l info <bundleID1> <bundleID2>

Forinformationonesxupdatesyntaxandcommands,seeesxupdate queryon
page 36andesxupdate infoonpage 36.

24

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

Sample Output: query Command


Thefollowingexampleshowstheinformationreturnedwhenyouruntheesxupdate
querycommandonanESXServer3.5host:
Installed software bundles
-----Name----

--Install Date--

--------Summary--------

3.5.0-56329

23:37:26 11/04/08

Full installation of ESX


3.5.0-56329

ESX350-200802055-BG

23:49:26 11/04/08

Fix COS running Dell OM5 w/


QLogic

ESX350-200803066-SG

23:50:02 11/04/08

Fix COS security bug

To retrieve information about bundles in a depot


1

Fromtheserviceconsole,logontotheESX Server3.5hostasuserroot.
NOTEIfyoudonothavedirectaccesstotheESX Server3.5host,connectremotely
totheserviceconsoleusingssh.

IfthedepotisnotontheESX Server3.5host,typethefollowingcommandto
enableanoutgoingconnectionfortheserviceconsole:
esxcfg-firewall --AllowOutgoing

Runtheesxupdateinfocommand.
NOTEYoudonotneedtospecifythe-d<depotURL>optioninthecommandif
youarerunningesxupdatefromthedepotdirectory.

Toretrieveasummaryofallbundlesinadepot:
esxupdate -d <DepotURL> info

Toretrieveasummaryofspecificbundlesinadepot:
esxupdate -d <DepotURL> -b <bundleID1> -b <bundleID2> info

ToretrievedetailedinformationonallbundlesandRPMpackagesinadepot:
esxupdate -d <DepotURL> -l info

VMware, Inc.

25

ESX Server 3 Patch Management Guide

Toretrievedetailedinformationonspecificbundlesinadepot,includingall
RPMpackages:
esxupdate -d <DepotURL> -l -b <bundleID1> -b <bundleID2> info

or
esxupdate -d <DepotURL> -l -b *<partial_bundleID> info

ToretrievedetailedinformationonthebundlesorRPMpackagesinaspecific
rollup:
esxupdate -d <DepotURL> -l -b <RollupID> info

Ifyouaredoneaccessingthedepot,resettheserviceconsolefirewalltohigh
security:
esxcfg-firewall --blockOutgoing

Forinformationonesxupdatesyntaxandcommands,seeesxupdate infoon
page 36.

Sample Output: info Command


Thisexampleshowstheinformationreturnedwhenyouruntheesxupdatelinfo
commandonasinglebundle:
Product : VMware ESX Server
Vendor : VMware, Inc. (support@vmware.com)
Bundle ID: : ESX350-200802055-BG
Release Date : 2008-02-19T21:18:17-07:00
Summary : Fix COS Oops running Dell OM5 w/ QLogic
Description : This patch includes two fixes: A flaw in the service console
kernel which could lead to an error when running Dell OpenManage 5 with a QLogic
Fiber Channel controller; A PSOD, due to an overflow of a statistic stored by
the TCP/IP stack. The statistic was removed.
Requires : 3.5.0-*
Conflicts with:
Obsoletes :
Will reboot after install : False
Maintenance Mode required : False
Bundle URL :file:///depot/3.5.0_depot/ESX350200802055BG
RPMs skipped or not yet installed:
200711455-1.0-1vmw

26

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

Verifying Disk Space


Checkthefollowingtomakesurethehostsystemhasenoughdiskspace.

The/partitiondirectoryhasatleast50MBoffreespace.

Thediskspaceallocatedtotheserviceconsolehasanamountoffreespacethatis
twicethesizeofthebundletobeinstalled(thatis,thesizeofthe.zipfile).

Tip Beforeinstallingpatches,runatestinstall.The--testoptionautomatically
checksthediskspaceforyou.SeeRunningaTestInstallonpage 27.

Running a Test Install


Atestinstallenablesesxupdatetoperformthefollowingtaskswithoutinstallingany
bundlepackages:

Downloadstheappropriatebundlefilestothehost.

Ifnecessary,preloadstheesxupdatedepotcache.

Checksforbundleandsystemdependencies.

Determinesthebundleorder.

DetermineswhichRPMsmustbeinstalledwithoutinstalling.

NOTERPMleveldependenciesandconflictsarenotcheckedduringatestinstall.
ThiscommandalsoloadstheesxupdatecacheforHTTPandFTPdepots.Asaresult,
whenyouruntheupdatecommand,itwilltakelesstimetodownloadthebundlesto
theESX Server3.5host.
Afteresxupdatecompletesthetest,itprintsoutareportshowingifeachbundlewillbe
installed,andifnot,thereason.Youcanusethislisttofixanydependenciesthatarent
handledautomaticallybyesxupdate.
ThereportalsodisplaysalistofRPMsthatareobsoletedbyotherbundles,andwhich
bundlescausedthemtobeobsoleted.

VMware, Inc.

27

ESX Server 3 Patch Management Guide

To run a test install


1

Fromtheserviceconsole,logontotheESX Server3.5hostasuserroot.
NOTEIfyoudonothavedirectaccesstotheESX Server3.5host,connectremotely
totheserviceconsoleusingssh.

IfthedepotisnotontheESX Server3.5host,typethefollowingcommandto
enableanoutgoingconnectionfortheserviceconsole:
esxcfg-firewall --AllowOutgoing

Runtheesxupdateupdateoperationwiththe--testoption.
NOTEYoudonotneedtospecifythe-d<depotURL>optioninthecommandif
youarerunningesxupdatefromthedepotdirectory.

Torunatestinstallationofallbundlesinadepot:
esxupdate -d <DepotURL> --test update

Torunatestinstallationofallbundlesinarollup:
esxupdate -d <DepotURL> -b <RollupID> --test update

Torunatestinstallationofmultiplebundlesinadepot:
esxupdate -d <DepotURL> -b <bundleID> -b <bundleID> --test update

or
esxupdate -d <DepotURL> -b *<partial_bundleID> --test update

Torunatestinstallationofonespecificbundle:
esxupdate -r <BundleURL> --test update

Ifyouaredoneaccessingthedepot,resettheserviceconsolefirewalltohigh
security:
esxcfg-firewall --blockOutgoing

28

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

Installing Bundles on an ESX Server 3.5 Host


PerformthefollowingprocedureoneachESX Server3.5hostthatrequiresapatch
update.Theinstallationprocessisrecordedintheesxupdate.logfile.Bydefault,this
fileislocatedinthe/var/log/vmwaredirectory.
NOTEToomitRPMpackagesfrombeinginstalledwithabundle,seeOmittingRPMs
fromtheInstallationonpage 31.
To install bundles on an ESX Server host:
1

Verifythehosthasenoughdiskspacetoperformtheinstallation.
SeeVerifyingDiskSpaceonpage 27.

Fromtheserviceconsole,logontotheESX Server3.5hostasuserroot.
NOTEIfyoudonothavedirectaccesstotheESX Server3.5host,connectremotely
totheserviceconsoleusingssh.

IfthedepotisnotontheESX Server3.5host,typethefollowingcommandto
enableanoutgoingconnectionfortheserviceconsole:
esxcfg-firewall --AllowOutgoing

Scanthedesiredbundlestodetermineiftheyareapplicableandifdependencies
arehandled.
SeeScanningforApplicableBundlesonpage 22.
NOTEIfthescandeterminedthatabundlerequiresarebootduringthe
installation,youcanusethe--norebootoptionduringtheupdateoperation
toforceallbundlestobeinstalledbeforerebootingtheserver.See
--norebootonpage 34.

Ifconflictswerereturnedbythescan,performthenecessarytaskstoresolvethem.
SeeAboutScanningforApplicableBundlesonpage 14.

VMware, Inc.

29

ESX Server 3 Patch Management Guide

Dooneofthefollowingtoruntheesxupdateupdatecommand:
NOTEYoudonotneedtospecifythe-d<depotURL>optioninthecommand
ifyouarerunningesxupdatefromthedepotdirectory.

Installallapplicablebundlesinthedepot:
esxupdate -d <depotURL> update

Installspecificbundlesinthedepot:
esxupdate -d <depotURL> -b <bundle1> update

Youcanalsousethewildcardcharacter(*).Forexample,toinstallallsecurity
bundlesinthedepot:
esxupdate -d <depotURL> -b "*SG" update

SeeUsingaWildcard(*)toInstallMultipleBundlesonpage 30.

Installallapplicablebundlesinarollup:
esxupdate -d <depotURL> -b <rollupID> update

Ifnecessary,waitforthesystemtoreboot.

Runtheesxupdatequerycommandtoverifytheinstallationwasasuccess.
SeeVerifyingBundleInstallationsonpage 31.

Ifyouaredoneaccessingthedepot,resettheserviceconsolefirewalltohigh
security:
esxcfg-firewall --blockOutgoing

Using a Wildcard (*) to Install Multiple Bundles


Youcanruntheupdate commandwithawildcard(*)toinstallmultiplebundlesthat
haveasimilarnameorbundletrait.Thewildcardactsasasubstituteforanycharacters
inthebundlename.Forexample,youcaninstallallbundlesreleasedwithaspecific
bundleclassificationorsupportlevel.ForinformationontheVMwarebundlenaming
convention,seeAboutPatchesonpage 8.
ThefollowingcommandinstallsallESX Server3.5bundleswithasecurity(S)
classificationthatwerereleasedwithageneralavailability(G)supportlevel:
esxupdate -d <depotURL> -b *SG update

Forinformationoninstallingbundles,seeInstallingBundlesonanESX Server3.5
Hostonpage 29.

30

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

Verifying Bundle Installations


ThiscommandletsyouverifyallRPMswereinstalledcorrectly,thatnonewere
missingorhadthewrongversionnumber.
1

Ifnecessary,logontotheESX Server3.5hostasuserroot.
NOTEIfyoudonothavedirectaccesstotheESX Server3.5host,connectremotely
totheserviceconsoleusingssh.

IfthedepotisnotontheESX Server3.5host,typethefollowingcommandto
enableanoutgoingconnectionfortheserviceconsole:
esxcfg-firewall --AllowOutgoing

Runtheesxupdatequerycommand.
esxupdate query

Makecertainthebundleyouinstalledisinthereturnlist.
4

(Optional)Toretrievedetailedinformationaboutoneormorebundlesinthe
returnlist,useoneofthefollowingcommands:

esxupdate -l query

esxupdate -l info <BundleID1><bundleID2>

Omitting RPMs from the Installation


1

LogontotheESX Server3.5hostasuserroot.
NOTEIfyoudonothavedirectaccesstotheESX Server3.5host,connectremotely
totheserviceconsoleusingssh.

IfthedepotisnotontheESX Server3.5host,typethefollowingcommandto
enableanoutgoingconnectionfortheserviceconsole:
esxcfg-firewall --AllowOutgoing

Runtheesxupdateupdatecommandwiththe--exclude option(-x)andspecify
theRPMpackagename.
NOTEYoudonotneedtospecifythe-d<depotURL>optioninthecommandif
youarerunningesxupdatefromthedepotdirectory.
esxupdate -d <DepotURL> -x <PackageName> update

VMware, Inc.

31

ESX Server 3 Patch Management Guide

Forexample,iftheRPMnameisxinetd-2.6.3-0.18.i386.rpm,xinetdisthe
packagename:
esxupdate -d <DepotURL> -x xinetd update

Thisoptionworksacrossallbundlesinthedepot;therefore,youdonotneedtouse
the -bflagtospecifythebundlecontainingtheRPMpackage.
4

Ifyouaredoneaccessingthedepot,resettheserviceconsolefirewalltohigh
security:
esxcfg-firewall --blockOutgoing

Formoreinformationoninstallingbundles,seeInstallingBundlesonanESX Server
3.5Hostonpage 29.

Reinstalling Bundles
CAUTIONVMwaredoesnotrecommendreinstallingbundlesbecauseinstallinga
bundleoverwritestheexistingfilesonthesystem,regardlessofwhetherthesystem
filesarenewer.Ifyouoverwriteafilewithanolderversion,youmaydestabilizeyour
ESX Server3.5host.VMwarecannotprovideguaranteesfortheintegrityofthe
ESX Server3.5hostunlessyouarereinstallingthelatestRPMpackages.VMware
suggestsyoucallVMwaretechnicalsupportbeforeyouperformareinstallation.
1

Fromtheserviceconsole,logontotheESX Server3.5hostasuserroot.
NOTEIfyoudonothavedirectaccesstotheESX Server3.5host,connectremotely
totheserviceconsoleusingssh.

IfthedepotisnotontheESX Server3.5host,typethefollowingcommandto
enableanoutgoingconnectionfortheserviceconsole:
esxcfg-firewall --AllowOutgoing

Runtheesxupdateupdatecommandwiththeesxupdate -f flagandspecifythe
bundleID.
NOTEYoudonotneedtospecifythe-d<depotURL>optioninthecommandif
youarerunningesxupdatefromthedepotdirectory.
esxupdate -d <DepotURL> -b <BundleID> -f update

Ifyouaredoneaccessingthedepot,resettheserviceconsolefirewalltohigh
security:
esxcfg-firewall --blockOutgoing

32

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

Reinstallingabundlechangesthetimestampandthepatchorderreturnedbythe
esxupdatequerycommand.Thisdoesnoteffecttheupdateoperationesxupdatewill
continuetoinstallbundlesinthecorrectorder.

Reference Information
Thissectioncontainsthefollowingreferenceinformation:

esxupdateOptionsandCommandsonpage 33.

esxupdateExitCodesandErrorMessagesonpage 37.

VMwareReleaseTerminologyonpage 41.

ESX ServerPatchManagementToolsonpage 42.

FrequentlyAskedQuestionsonpage 43.

InstallationChecklistonpage 44

esxupdate Options and Commands


TheesxupdateutilityisapatchmaintenancetoolforESX Server.Youuseittoreview
thecontentsofabundle,enforcesoftwaredependencies,installsoftware,andtrack
installedsoftware.
YourunesxupdatefromtheESXserviceconsolewhileloggedinasuserroot.The
activityofthetoolisrecordedintheesxupdate.logfile.Bydefault,thisfileislocated
inthe/var/log/vmwaredirectory.
Toseehelpinformationforesxupdate,runtheutilitywithnoarguments.

esxupdate Options
Table 3. esxupdate Options
Option

Flag

Description

-d <depotURL>

-d

Specifiesthelocationofadepot.Ifnotspecified,esxupdate
assumesthecurrentdirectoryisadepot.Whenyouusethe
-d flagwithoutthe-bflag,esxupdatehandlesallbundles
inthedepot.Forexample:
(HTTP): esxupdate -d
http://<HTTP_Server_Hostname>/esx350
(FTP): esxupdate -d
ftp://<FTP_Server_Hostname>/esx350
(NFS):esxupdate -d file:///var/updates/esx350

VMware, Inc.

33

ESX Server 3 Patch Management Guide

Table 3. esxupdate Options (Continued)


Option

Flag

Description

-b <BundleID> | <*>

-b

Specifiesoneormorebundles.Ifnotspecified,allbundles
arehandled.Useone-bflagforeachbundletoinstall.For
example:
esxupdate -b ESX350-200802055-BG -b
ESX350-200803066-SG
Usetheasterisk(*)wildcardasasubstituteforany
charactersinthebundlename.Forexample,toretrievea
listofalluninstalledbundlesforESX Server3.5,usethe
followingcommand:
esxupdate -b ESX350* info
Ifyoudonotrunthecommandfromthedepotdirectory,
youmustspecifythedepotlocationwiththe-dflag.
Explains,indetail,whyabundleisnotapplicable,has
conflictsorhasdependencyissues.Usethisoptionwith
theesxupdate scanoperation.Forexample:

--explain

esxupdate -d <depotURL> --explain scan


Removesthedepotcachefromthehostsystem.Usethis
optionwiththeesxupdate updatecommand.For
example:

--flushcache

esxupdate -d <depotURL> --flushcache update


ThisisnecessaryforHTTPandFTPservers.
SeeMaintainingPatchDepotsonpage 21.
--listrpms

-l

ListsdetailsaboutRPMsinabundle.Usethisoptionwith
the-d,-b,or-rflagsandtheesxupdate infoand
esxupdate querycommands.

Whenusedwiththeesxupdateinfocommand,lists
detailsaboutabundlesinstalledandnotinstalled(or
skipped)RPMpackages,includingtheirversion
numbers.AlsolistsRPMsremovedbythebundle.

Whenusedwiththeesxupdatequerycommand,
providesdetailsaboutthepackagesthathavebeen
installed,removed,orupgradedonanESX Server
host.Thisincludespackagesnothandledby
esxupdate.

SeeToretrieveinformationaboutinstalledbundleson
page 24andToretrieveinformationaboutbundlesina
depotonpage 25.
--noreboot

34

-n

ForcesesxupdatenottoreboottheESX Serverhostafter
installingthebundle.Youcanusethiscommandwhenyou
installmultiplebundlesatonetime.

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

Table 3. esxupdate Options (Continued)


Option

Flag

Description

--nosigcheck

Forcesesxupdatenottocheckthedepotfilesignatures.Use
thiscommandifyourVMwarelicensehasexpiredandyou
havenotyetreceivedanewone.

--test

Downloadstheappropriatebundlefiles,preloadsthe
esxupdatedepotcacheforHTTPandFTPservers,checks
forbundleandsystemdependencies,anddeterminesthe
bundleorderandRPMstobeinstalledwithoutinstalling
anypackages.Usethisoptionwiththeesxupdate update
command.Forexample:
esxupdate -d <depotURL> --test update
Thisoptiondisplaysstatusinformationsoyoucan
previewhowtheupdatewilloccur.
NoteThisoptiondoesnotcheckforRPMlevel
dependencies.
SeeRunningaTestInstallonpage 27.

--verbose

Changesthelevelofdetailwrittentotheesxupdate.log
file.Possiblevaluesare:

10Debug

20DetailedInformation

30Warning

40Error

Thefollowingoptionsarenotrecommendedandareprovidedonlyforbackwardcompatibility.
--repo <bundleURL>

-r

Providedforbackwardcompatibilityonly,andshouldnot
beused.Itdoesnotresolvedependencyissues.
Specifiesthelocationofabundledirectory.Usethis
commandtorunanoperationonaspecificbundle.For
example:
(HTTP): esxupdate -r
http://<HTTP_Server_Hostname>/<esx>/<bundleID1
>
(FTP): esxupdate -r
ftp://<FTP_Server_Hostname>/esx35/<bundleID1>
(NFS):esxupdate -r
file:///var/updates/esx35/<bundleID1>

VMware, Inc.

35

ESX Server 3 Patch Management Guide

Table 3. esxupdate Options (Continued)


Option

Flag

Description

--exclude
<package>

-x

ExcludesthespecifiedRPMpackageduringinstall.Use
thisoptionwiththeesxupdate updatecommand.It
worksacrossallbundles;thereforeyoudonotneedto
specifythebundlecontainingit.Useone-xflagforeach
RPMtoexclude.ThepackagenamemustbeanRPM
name.Forexample:
esxupdate -x RPM1 -x RPM2 update
Ifyoudonotrunthecommandfromadepotorbundle
directory,youmustspecifytheappropriatepathwiththe
-dor-rflag.
SeeOmittingRPMsfromtheInstallationonpage 31.

--force <BundleID>

-f

Reinstallsthespecifiedbundle.Thisoptionisnot
recommendedbecauseitoftendowngradestheRPM
installed.Useitwiththeesxupdate updatecommand
onlytoreinstallacurrentbundle.

esxupdate Commands
Table 4. esxupdate Commands
Command

Description

esxupdate info

Displaysinformationaboutbundles,includingabriefsummary,
buildandinstalltimes,bundledependencies,andRPMdetails.This
commandretrievesthebundledefinitionsfromthedepotorthepatch
databaseontheESX Serverhost(/etc/vmware/patchdb).See
RetrievingBundleInformationonpage 24.
Syntax for bundles in a depot:
esxupdate [-d <depotURL> ] [-b <BundleID> | <*>]
[--listrpms] info
Syntax for bundles in the patch database:
esxupdate [--listrpms] info <bundleID1> <bundleID2>

esxupdate query

Returnsalist,ininstallorder,ofallbundlesinstalledonthe
ESX Serverhost.Ifabundlewasmadeobsoletebyanewerbundle,
onlythenewerbundleisreturned.SeeToretrieveinformationabout
installedbundlesonpage 24.
Syntax
esxupdate [--listrpms] query

36

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

Table 4. esxupdate Commands (Continued)


Command

Description

esxupdate scan

Checksuninstalledbundlesforreleasespecificdependencies,
obsoletebundledependencies,andsystemstatedependenciesto
determinewhatpatchesarevalidtoinstallandinwhatorder.Youcan
scantheentiredepotorspecifybundlesinthecommand.Theoutput
isthedependencyinformation.SeeAboutScanningforApplicable
Bundlesonpage 14.
Syntax
esxupdate [-d <depotURL> ] [-b <BundleID> | <*> ]
[--explain] [--nosigcheck] [--test] [--verbose] scan

esxupdate update

Checksthespecifiedbundlesfordependencies,checkstheESX Server
hostfordependencies,determineswhichbundlestoinstall,and
installsthemontheESX Serverhost.SeeInstallingBundlesonan
ESX Server3.5Hostonpage 29.
Syntax
esxupdate [-d <depotURL> ] [-b <BundleID> | <*>]
[--nosigcheck] [--noreboot] [--exclude <package>]
[--test] [--flushcache] [--verbose] update

esxupdate Exit Codes and Error Messages


Table 5. esxupdate Error Codes and Error Messages
Exit Code

Error Message

Explanation and Workaround

Theinstallationcompletedsuccessfully;the
esxupdateutilityhasnotaskstocomplete.

Theesxupdateoperationisfinishedor
whenthespecifiedbundleisalready
installed.
Workaround:None.

80

Theinstallationcompletedsuccessfullyand
theESX Serverhostmustberebooted.

Theesxupdateoperationisfinished
andaninstalledbundlerequiresa
systemreboot.
Workaround:ReboottheESXServer
host.

Youaretryingtorunesxupdateasauser
otherthanroot.

YouloggedintotheESXServerhostas
auserotherthanrootandtrytorun
esxupdate.
Workaround:Loginasrootandtry
again.

Invalidcommandlinesyntaxorarguments.

Thecommandyouenteredtorun
esxupdateisincorrectorismissingan
option.
Workaround:Checkthecommandline
syntaxandfixanyerrors.

VMware, Inc.

37

ESX Server 3 Patch Management Guide

Table 5. esxupdate Error Codes and Error Messages (Continued)


Exit Code

Error Message

Explanation and Workaround

GeneralIOError.

Therearenetworkissuesorfilesystem
errors,suchasproblemswithfileaccess
permissions.
Workaround:

YumisnotinstalledortheYum
configurationfile(yum.conf)ismissing.

TheYuminstallationcontainserrors
andtheyum.conffileisnotinthe /etc
directoryontheESXServerhost.
Workaround:ReinstallYumorrestore
themissingyum.conffile.

Alockcannotbeacquiredbecauseanother
instanceofesxupdateisrunning.

Youcanrunonly1esxupdateinstance
onthesamehostatonetime.
Workaround:Waituntiltheother
instanceisfinishedandthenrerunthe
esxupdatecommand.Youcanmonitor
esxupdatestatusintheesxupdate.log
filelocatedinthe/var/log/vmware/
directory.

10

ThespecifiedURLisnotcorrect.

TheURLcontainserrors.
Workaround:Makesureyouusefile:
orhttp:atthebeginningoftheURL
andcheckthattherearenospelling
errors.

11

Afilewasnotdownloadedorismissing
fromthedepotcache.

Theesxupdatecommandcantfindthe
specifiedfileinthelocalcache.
Workaround:Makesurethenetwork
connectionisworkingandrerunthe
command.

12

38

Thecontents.xmlfileordescriptor.xml
filecouldnotbeparsed,wascorrupt,orhad
anillegalvalue.

esxupdatecouldnotvalidatethefile.
Workaround:Makesurethe.zipfile
downloadedcorrectlyandrunanmd5
check.Ifthefileiscorrupt,deleteitand
downloaditagain.

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

Table 5. esxupdate Error Codes and Error Messages (Continued)


Exit Code

Error Message

Explanation and Workaround

13

ThepatchdatabaseontheESX Serverhost
iscorrupt.

esxupdatecouldnotvalidatethepatch
databaselocatedinthe
/etc/vmware/patchdbdirectoryand
theintegritycheckfailed.
Workaround:

20

Thereleasedoesnotexistinthepatch
database.

Deletethepatchdatabasefilefrom
theESXServerhost.andrecreateit.

Downloadandreinstallthe3.5
releasedescriptorfile.

Downloadthelatestrollup.

Runesxupdate updateonthe
entiredepot.

Thebundleyouarespecifyingisnot
installedonthehost.
Workaround:Runtheesxupdate
querycommandtogetalistofinstalled
bundles.Thenruntheesxupdate
info<bundleID>commandona
bundleIDreturnedbythequery.

33

34

Thereisnotenoughdiskspacetoinstallthe
specifiedbundle.

AnRPMdependencyerroroccurred.

Thisisastandarddiskspaceerror.
Workaround:Clearthedepotcacheor
/tmpdirectoryandrerunthe
esxupdate updatecommand.
Generallyoccurswhena3rdparty
agenthasadependencyVMware
doesntaddress.
Workaround:Determineifthe
dependentRPMisneededinyour
environmentanddooneofthe
following:

VMware, Inc.

Usethe --forceoptiontoinstall
theRPM.

Usethe--excludeoptiontoskip
theRPM..

39

ESX Server 3 Patch Management Guide

Table 5. esxupdate Error Codes and Error Messages (Continued)


Exit Code

Error Message

Explanation and Workaround

37

Themetadatasignaturesforthespecified
bundlecouldnotbeauthenticated.

Thereisageneralintegrityerrorwitha
bundlemetadatafileorrpmpackage.
Thiscanoccurifthefilewasdamaged
duringthedownloadoperationorifit
wasdownloadedfromanonVMware
siteandwasaltered.
Workaround:Downloadthebundle
fromtheVMwareDownloadCenter
andreruntheesxupdatecommand.

40

Generalbundledependencyerror.

Morethanonebundlehasa
dependencyerrorsoaspecificerror
codecouldnotbereturned.
Workaround:Checkthe
/var/log/vmware/esxupdate.log
fileforadescriptionoftheproblemand
awaytoworkaroundit.

41

42

Thebundlerequiresthespecifiedbundleto
beinstalledfirst.

Thisbundleisobsoleteanddoesnotneedto
beinstalled.Asupersedingbundlehasbeen
installedonthishost.

Therequiredbundleisntinthedepot.
Workaround:Downloadlatestrollup
andthenrunesxupdate updateon
thedepot.
Youspecifiedanobsoletebundleto
installandtheESXServerhosthas
alreadybeenupdatedwithanewer
bundlethatsupersedestheobsolete
bundle.
Workaround:None.VMwaresuggests
youdontinstalltheobsoletebundle.

43

Thebundleyouareinstallingconflictswith
<bundleID>installedonthishost.

YouspecifiedabundleIDtoinstalland
itconflictswithabundlealready
installedonthehost.
Workaround:None.Bothbundles
shouldnotbeinstalledonthesame
host.

40

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

Table 5. esxupdate Error Codes and Error Messages (Continued)


Exit Code

Error Message

Explanation and Workaround

52

Afailureoccurredwhileinstallingor
removingpatchpackages.Examinethe
esxupdatelogfile
(/var/log/vmware/esxupdate.log)for
detailsaboutthefailure.

ThisisageneralRPMerror.Problems
mightexistwhenwritingtotheRPM
postscriptfile.

54

Thepatchinstallationcompleted
successfully;howeveranerroroccurred
duringsystemreconfigurationanditmay
notbeabletoboot.

Workaround:checktheesxupdate.log
filefordetails.Mostoften,rerunning
thesameesxupdatecommandwillfix
theproblem.
Thisoccursduringageneralupdateto
driversortheVMkernel.Ifanyofthe
updatestepsfail,thiserrorcanoccur.
Workaround:Checkthe
(/var/log/vmware/esxupdate.log
filefordetailsontheerror.Thenrerun
thesameesxupdatecommand.RPMs
alreadyinstalledareskipped.

VMware Release Terminology


Inadditiontopatches,VMwareprovidessoftwareinthefollowingformats:

Majorreleases.SeeAboutMajorReleasesonpage 41.

Minorreleases.SeeAboutMinorReleasesonpage 42.

Maintenancereleases.SeeAboutMaintenanceReleasesonpage 42.

Updatereleases.SeeAboutUpdateReleasesonpage 42.

ForinformationaboutVMwaresupportpolicies,see
http://www.vmware.com/pdf/support_terms_conditions.pdf.
NOTEThissectionusesanx.y.zconventiontodenoteproductversionnumbers.

About Major Releases


Majorreleasesaresoftwareupgradesthatcontainfixesforcriticalandseriousbugsthat
existinthepreviousreleaseandfixesforasmanynoncriticalbugsasfeasiblewithin
thedevelopmentschedule.Inaddition,majorreleasesprovidefunctional
enhancements.
Amajorreleaseversionisidentifiedbyachangeinthexpositionoftheproduct
versionnumber.Forexample,Forexample,ESXServer3isanewmajorreleasefrom
ESXServer2.x.Alicensekeyforversion2.xwillnotworkwithversion3.0.
Majorreleaseshaveinstallationwizards.
VMware, Inc.

41

ESX Server 3 Patch Management Guide

About Minor Releases


MinorReleasesaresoftwareupdatesthatcontainfixesforhighseveritybugsidentified
incurrentreleasesandmayincludeminorenhancements.Minorreleasesare
cumulativeallsubsequentminorreleasescontainthebugfixesprovidedbythe
previousminorrelease.Youonlyneedtoinstallthelatestminorreleasewhenupdating
yoursystem.
Aminorreleaseversionisidentifiedbyachangeintheypositionoftheproduct
versionnumber.Forexample,ESXServer3.5isaminorreleaseforESXServer3.0.Your
licensekeyforversion3.0willworkwithversion3.5.
Minorreleaseshaveinstallationwizards.

About Maintenance Releases


Maintenancereleasesaresoftwareupdatesthatcontainfixesformultiplebugsdeemed
toocriticaltowaitforinclusioninthenextproductupdate.Thereleaseversionis
identifiedbyachangeinthezpositionoftheproductversion.Forexample,VMware
GSXServer1.0.3isamaintenancereleasethatsupersedesVMwareGSXServer1.0.2.
Youcaninstallmaintenancereleaseswithaninstallationwizard(forISOimages)or
withapatchupdatetool.

About Update Releases


Updatereleasesaresoftwareupdatesthatcontainupdatestohardwaredevicesor
driversandarereleasedaspartofthecurrentmaintenancerelease.Forexample,
VMwareESXServer3.0.2Update1isanupdatereleaseforESXServer3.0.2.
Youcaninstallupdatereleaseswithaninstallationwizard(forISOimages)orwitha
patchupdatetool.

ESX Server Patch Management Tools


ThissectiondescribesthreepatchmanagementtoolsthatVMwareprovidesinaddition
totheesxupdateutility:

AboutVMwareUpdateManager

AboutVMwareInfrastructureUpdate

AboutvihostupdateRemoteCLI

Youcanaccessthemostcurrentversionsofthedocumentationforeachtoolbygoing
tohttp://www.vmware.com/support/pubs.

42

VMware, Inc.

Managing Patches for ESX Server 3.5 Hosts

About VMware Update Manager


VMwareUpdateManagerisapluginapplianceforVIClientthatperiodically
downloadspatchinformationfromtheInternetandexaminesESX Server3.5and
ESX Server3ihostsforpatchcompliance.Ifitdeterminesapatchisrequired,VMware
UpdateManagerdownloadsthepatchandinstallsitbasedonuserdefined
configurations.VMwareUpdateManagerisanoptionalfeaturethatrequiresVIClient.
TheVMwareUpdateManagerdocumentationconsistsofreleasenotes,an
administrationguide,andonlinehelpintegratedwiththeVMwareUpdateManagerVI
Clientplugin.

About VMware Infrastructure Update


VMwareInfrastructureUpdateisabackgroundprocessthatperiodicallychecksfor
newupdatesthatareapplicabletoESXServer3ihostsconnectedtotheVIClient.If
InfrastructureUpdatefindsapplicablepatches,itdownloadsandcachesthemlocally
sotheycanbeinstalled.InfrastructureUpdaterequiresVIClientandisinstalled
automaticallywhenitisinstalled.
VMwareInfrastructureUpdateisdocumentedintheESX Server3iSetupGuide.

About vihostupdate Remote CLI


vihostupdateisaremoteCLIyouusetoscananESX Server3ihostforinstalled
patches,enforcesoftwareupdatepolicies,andinstallsoftwarepatches.
TheVMwarevihostupdateRemoteCLIisdocumentedintheESX Server3i
ConfigurationGuideandtheESX Server3iSetupGuide.

Frequently Asked Questions


WhenanRPMonmyESX Serverhosthasalinuxequivalent,canIusethelinuxRPM
toupdatemysystem?
No.VMwarerecommendsyouonlyupdateyourESX Server3.5hostwithRPMs
suppliedbyVMware.
CanIremoveinstalledVMwarepatchesfrommyESX Serverhost?
No.Patchescannotberemovedoncetheyhavebeeninstalled.
ShouldthebuildnumberoftheESX ServerhostchangeafterIapplyapatch?
ItisnormalforsomeportionsoftheESX Server3.5softwareinstallationtochangebuild
numberswhenpatchesareapplied.Forinformationondeterminingthebuildnumber
foreachofthecomponentsofyourESX Serverinstallation,seeKB1001179.

VMware, Inc.

43

ESX Server 3 Patch Management Guide

Installation Checklist
Printthischecklistanduseitasaguidewheninstallingpatches.

Setupdepots
SeeSettingupPatchDepotsonpage 19.

Downloadthepatch.zipfile
SeeDownloadingandExtractingPatchFilesonpage 22.

Downloadthelatestcontentsfile
SeeDownloadingandExtractingPatchFilesonpage 22.

Scanforapplicablebundles
SeeScanningforApplicableBundlesonpage 22.

Runatestinstall
SeeRunningaTestInstallonpage 27.

Installapplicablebundles
SeeInstallingBundlesonanESX Server3.5Hostonpage 29.

Verifythatbundleswereinstalledcorrectly
SeeVerifyingBundleInstallationsonpage 31.

44

VMware, Inc.

Index

B
bundles
about 7
about extracting 10
about installing 16
applicability flags 14
deleting 21
dependencies 13
installing 29
querying bundles in a depot 25
querying installed bundles 24
reinstalling 32
retrieving RPM details 25
scanning 14, 22
test install 27
verifying installation 31

C
contents file
about 10
downloading 22
customizing patching, about 18

D
dependencies, about 13
depots
about 10
clearing the cache 21
deleting bundles 21
downloading files 22
example directory structure 11
FTP 20

VMware, Inc.

HTTP 19
maintaining 21
NFS 20
querying bundles 25
descriptor file
about 10
disk space
requirements 27

E
error messages 37
esxupdate
-b option 34
-d option 33
--exclude option 36
exit codes and error messages 37
--explain option 34
--flushcache option 34
--force option 36
info operation 36
-l (--listrpms) option 34
--noreboot option 34
--nosigcheck option 35
query operation 36
-r option 35
scan operation 37
--test option 35
update operation 37
--verbose option 35
esxupdate utility
about 12
commands 33, 36

45

ESX Server 3 Patch Management Guide

options 33
Exit codes 37
explain scan option
sample output 16

FAQ 43
frequently asked questions 43
FTP depots 20

patch tools 42
support level definitions 9
patching
customizing 18
strategy 18
patching tools
vihostupdate Remote CLI 43
VMware Infrastructure Update 43
VMware Update Manager 43

HTTP depots 19

query command
about 36
sample output 25

I
info command
about 36
sample output 26
installation
disk space 27
verifying 31
installed bundles
listing 24

M
maintenance releases, about 42
major releases, about 41
minor releases, about 42

N
NFS depots 20

P
patch download center 7
patch releases, about 8
patches
about 7
classification descriptions 8
downloading 22
naming 8
naming convention 8
46

R
reinstalling bundles 32
releases, about 41
repositories
about 10
FTP 20
HTTP 19
NFS 20
roll-ups
about 7
about extracting 11
about installing 16
installing 29
RPM packages
omitting 31
retrieving details 25

S
scan command
about 37
sample output 15
scan option
sample output 16

VMware, Inc.

Index

scanning bundles 22
about 14
applicability flags 14
explaining scan results 23
using a wildcard 23, 30
system dependency flags 15

T
test install, running 27

U
update command
about 37
update releases, about 42

V
vihostupdate Remote CLI 43
VMware Infrastructure Download
Center 7
VMware Infrastructure Update 43
VMware releases
maintenance releases 42
major releases 41
minor releases 42
patch releases 8
update releases 42
VMware Update Manager 43

W
wildcard character
installing bundles 30
scanning bundles 23, 30

VMware, Inc.

47

ESX Server 3 Patch Management Guide

48

VMware, Inc.