Patch Management

Module 12

2013 VMware Inc. All rights reserved

You Are Here

Course Introduction

Access and Authentication Control

Software-Defined Data Center

Resource Management and Monitoring

Creating Virtual Machines

High Availability and Fault Tolerance

VMware vCenter Server

Host Scalability

Configuring and Managing Virtual Networks

Patch Management

Configuring and Managing Virtual Storage

Installing vSphere Components

Virtual Machine Management

VMware vSphere: Install, Configure, Manage

12-2
2013 VMware Inc. All rights reserved

Importance
Over time, your VMware vSphere environment might undergo
change in its hardware or software configuration, or in the form of
software updates or patches.
From a manageability and scalability perspective, you should
implement changes to your vSphere environment in an orderly,
controlled, and systematic fashion.

VMware vSphere: Install, Configure, Manage

12-3
2013 VMware Inc. All rights reserved

Learner Objectives
By the end of this module, you should be able to meet the following
objectives:

Describe VMware vSphere Update Manager

List the steps to install vSphere Update Manager
Use vSphere Update Manager:

Create and attach a baseline

Scan an inventory object
Remediate an inventory object

VMware vSphere: Install, Configure, Manage

12-4
2013 VMware Inc. All rights reserved

vSphere Update Manager

vSphere Update Manager enables centralized, automated patch and
version management for VMware ESXi hosts, virtual machine
hardware, VMware Tools, and virtual appliances.
vSphere Update Manager reduces security risks:

Reduces the number of vulnerabilities.

Eliminates many security breaches that exploit older vulnerabilities.

vSphere Update Manager reduces the diversity of systems in an

environment:

Makes management easier

Reduces security risks

vSphere Update Manager keeps machines running more smoothly:

Patches include bug fixes

Makes troubleshooting easier

VMware vSphere: Install, Configure, Manage

12-5
2013 VMware Inc. All rights reserved

vSphere Update Manager Capabilities

Enables cross-platform upgrade from VMware ESX to ESXi
Automated patch downloading:

Begins with information-only downloading

Is scheduled at regular configurable intervals
Contacts the following sources for patching ESXi hosts:

For VMware patches: https://hostupdate.vmware.com

For third-party patches: URL of third-party source

Creation of baselines and baseline groups

Scanning:

Inventory systems are scanned for baseline compliance.

Remediation:

Inventory systems that are not current can be automatically patched.

Reduces the number of reboots required after Tools updates

VMware vSphere: Install, Configure, Manage

12-6
2013 VMware Inc. All rights reserved

Update Manager Components

VMware vCenter
Server system

database
server

hosts

vCenter Server
database

optional
download
server
patch
database

vSphere Update
Manager server

patch
database

VMware vSphere
Client with
vSphere Update
Manager
plug-in

Internet
VMware
patch source
third-party
patch source

VMware vSphere: Install, Configure, Manage

12-7
2013 VMware Inc. All rights reserved

Installing vSphere Update Manager

vSphere Update Manager must be installed on a Windows 64-bit
machine.
To install, start the VMware vCenter Installer and click VMware
vSphere Update Manager.
Information needed during the installation:

vCenter Server host name, user name, and password

Choice of database: use default or existing database
vSphere Update Manager port settings:

Host name, ports, proxy settings (if necessary)

Destination folder and location for downloading patches

To install the vSphere Update Manager client

Install the vSphere Update Manager Extension plug-in into vSphere

Client.

VMware vSphere: Install, Configure, Manage

12-8
2013 VMware Inc. All rights reserved

Configuring vSphere Update Manager Settings

By default, all patch sources

are enabled. Additional
patch sources can be added
if necessary.

Modify
vSphere
Update
Manager
configuration
properties.

VMware vSphere: Install, Configure, Manage

12-9
2013 VMware Inc. All rights reserved

Baseline and Baseline Groups

A baseline consists of one or more patches, extensions, or upgrades.
Five types of
baselines:
Host patch
Host extension
Host upgrade
Virtual machine upgrade
for hardware or Tools
Virtual appliance upgrade

example of default baselines for hosts

vSphere Update Manager includes a

number of default baselines.
A baseline group consists of multiple baselines:
Can contain one upgrade baseline per type and
one or more patch and extension baselines
VMware vSphere: Install, Configure, Manage

12-10
2013 VMware Inc. All rights reserved

Creating a Baseline
To create a baseline
1. Click Create.
2. Specify name and description.
3. Choose a baseline type.
4. For a patch baseline, select a patch option: Fixed or Dynamic.
5. Select patches to add to the baseline.

A host patch is
added to this
baseline.

VMware vSphere: Install, Configure, Manage

12-11
2013 VMware Inc. All rights reserved

Attaching a Baseline
To view compliance information and remediate inventory objects, first attach
a baseline or baseline group to an object.
For improved efficiency, attach a baseline to a container object instead of to
an individual object.

VMware vSphere: Install, Configure, Manage

12-12
2013 VMware Inc. All rights reserved

Scanning for Updates

Scanning evaluates the inventory object against the baseline or baseline
group.
A scan can be performed manually or automatically, using a scheduled task.

VMware vSphere: Install, Configure, Manage

12-13
2013 VMware Inc. All rights reserved

Viewing Compliance

In this example,
the scan found
two noncompliant
hosts.

After the scan, patches and

updates can be staged first and
then remediated at a later time.

VMware vSphere: Install, Configure, Manage

12-14
2013 VMware Inc. All rights reserved

Remediating Objects
You can remediate virtual machines, templates, virtual appliances,
and hosts.
You can perform the remediation immediately or schedule it for a
later date.

VMware vSphere: Install, Configure, Manage

12-15
2013 VMware Inc. All rights reserved

Maintenance Mode and Remediation

Power off or suspend

virtual machines
Option for
PXE-booted
ESXi 5.0

VMware vSphere: Install, Configure, Manage

12-16
2013 VMware Inc. All rights reserved

Remediation Options for a Cluster

When remediating hosts in a cluster, you must
temporarily disable certain cluster features:
VMware vSphere Distributed Power
Management, VMware vSphere High
Availability, and VMware vSphere Fault
Tolerance.

You can generate a

report that
identifies problems
before remediation
occurs.

VMware vSphere: Install, Configure, Manage

12-17
2013 VMware Inc. All rights reserved

Patch Recall Notification

At regular intervals, vSphere Update Manager contacts VMware to
download notifications about patch recalls, new fixes, and alerts.

Notification Check Schedule is selected by default.

On receiving patch recall notifications, vSphere Update Manager:

Generates a notification in the notification tab

No longer applies the recalled patch to any host:

Patch is flagged as recalled in the database.

Deletes the patch binaries from its patch repository

Does not uninstall recalled patches from ESXi hosts:

Instead, it waits for a newer patch and applies that to make a host
compliant.

VMware vSphere: Install, Configure, Manage

12-18
2013 VMware Inc. All rights reserved

Remediation Enabled for DRS

Eliminate downtime for virtual
machines when patching ESXi
hosts:

UM + DRS

1. vSphere Update Manager puts

the host in maintenance mode.

2. VMware vSphere Distributed

Resource Scheduler (DRS)

moves virtual machines to the
available host.
3. vSphere Update Manager

patches the host and exits

maintenance mode.

4. DRS moves virtual machines

back, per rule.

VMware vSphere: Install, Configure, Manage

maintenance mode

12-19
2013 VMware Inc. All rights reserved

Using the vSphere Web Client

Eliminate downtime for virtual
machines when patching ESXi
hosts:

UM + DRS

1. vSphere Update Manager puts

the host in maintenance mode.

2. DRS moves virtual machines to

the available host.

3. vSphere Update Manager

patches the host and exits

maintenance mode.
4. DRS moves virtual machines

back, per rule.

maintenance mode

VMware vSphere: Install, Configure, Manage

12-20
2013 VMware Inc. All rights reserved

Lab 25: VMware vSphere Update Manager

Install, configure, and use vSphere Update Manager
1. Install vSphere Update Manager
2. Install the Update Manager Client Plug-In
3. Modify Cluster Settings
4. Configure vSphere Update Manager
5. Create a Patch Baseline
6. Attach a Baseline and Scan for Updates
7. Stage the Patches onto the ESXi Hosts
8. Remediate the ESXi Hosts

VMware vSphere: Install, Configure, Manage

12-21
2013 VMware Inc. All rights reserved

Review of Learner Objectives

You should be able to meet the following objectives:

Describe VMware vSphere Update Manager

List the steps to install vSphere Update Manager
Use vSphere Update Manager:

Create and attach a baseline

Scan an inventory object
Remediate an inventory object

VMware vSphere: Install, Configure, Manage

12-22
2013 VMware Inc. All rights reserved

Key Points

vSphere Update Manager patches and updates ESXi 5.5 hosts as well
as earlier versions of hosts, virtual machines, templates, and virtual
appliances.

vSphere Update Manager reduces security vulnerabilities by keeping

systems up to date and by reducing the diversity of systems in an
environment.

vSphere Update Manager no longer patches guest operating systems

or the applications running within guest operating systems.

Questions?

VMware vSphere: Install, Configure, Manage

12-23
2013 VMware Inc. All rights reserved