Professional Documents
Culture Documents
MODULE 12
Patch Management
12
Slide 12-1
12
Patch Management
613
614
Importance
Slide 12-3
12
Patch Management
615
Learner Objectives
Slide 12-4
616
12
Scan for compliance and apply updates to virtual machine hardware, appliances and hosts
Directly upgrade hosts, virtual machine hardware, Tools, and virtual appliances
Apply third-party software on hosts
Keeping the patch versions up to date for virtual machine hardware and ESXi hosts helps reduce the
number of vulnerabilities in an environment and the range of problems requiring solutions. All
systems require ongoing patching and reconfiguration or other solutions. Reducing the diversity of
systems in an environment and keeping them in compliance are security best practices. Additionally,
since patches include bug fixes, vSphere Update Manager keeps environments operating properly
and without service interruption or errors.
617
Patch Management
VMware vSphere Update Manager enables centralized, automated patch and version
management for VMware vSphere and supports VMware ESXi hosts, virtual machine
hardware, VMware Tools and virtual appliances. Updates that you specify can be applied to
ESXi hosts, virtual machine hardware, and virtual appliances that you scan. With vSphere Update
Manager, you can perform the following tasks:
vSphere Update Manager 5.5 can scan and remediate hosts, virtual machines, and virtual appliances:
ESXi 4.x, and 5.x
Host upgrades of VMware ESX or ESXi 4.x to ESXi 5.x
Upgrades of Tools and virtual machine hardware for virtual machines
Upgrades of virtual appliances
Bug fixes
CAUTION
After you upgrade or migrate your host to ESXi 5.x, you cannot roll back to your version ESXi 4.x
software. Back up your host configuration before performing an upgrade or migration. If the
upgrade or migration fails, you can reinstall the ESXi 4.x software and restore your host
configuration.
In addition to patching your ESXi hosts, Tools, and virtual machine hardware, you still must
continue to protect the guest operating system and applications running in the virtual machine.
Continue to protect the guest operating system and applications as you would on a physical system.
VMware does provide solutions that will assist you with this. One example is to use VMware
vCenter Configuration Manager. For information about vCenter Configuration Manager, go to
http://www.vmware.com/products/configuration-manager.
NOTE
vCenter Configuration Manager can also be used for patching and patch management. This course
focuses specifically on how vSphere Update Manager is used to perform these functions.
618
12
This process begins by downloading information about a set of security patches. One or more of
these patches are aggregated to form a baseline. Multiple baselines can be added to a baseline group.
You can use baseline groups to combine different types of baselines and then scan and remediate an
inventory object against all of them as a whole. If a baseline group contains both upgrade and patch
baselines, the upgrade runs first.
A collection of virtual appliances and ESXi hosts can be scanned for compliance with a baseline or
a baseline group and remediated (updated or upgraded). These processes can be started manually or
through scheduled tasks.
619
Patch Management
vSphere Update Manager uses a set of operations to ensure effective patch and upgrade
management.
(Optional) Download server: If your vSphere Update Manager server lacks direct access to the
Internet, you can create a download server outside the internal network for downloading
patches. You then load them to the vSphere Update Manager server by using portable media,
such as DVDs, or a shared repository, such as a shared folder or URL.
The Update Manager Download Service (UMDS) is an optional module of vSphere Update
Manager, which is used on the download server to download patches. With UMDS in vSphere
Update Manager 5.5, you can add these settings:
Configure multiple download URLs
Restrict downloads to product version and type that are relevant to your environment
NOTE
12
Patch Management
621
You can install vSphere Update Manager on the same computer as vCenter Server or on a different
computer. vSphere Update Manager runs on these Windows versions:
Windows Server 2003 SP2 [Standard/Enterprise/Datacenter] 64-bit
Windows Server 2003 R2 [Standard/Enterprise/Datacenter] 64-bit
Windows Server 2003 R2 SP2 [Standard/Enterprise/Datacenter] 64-bit
Windows Server 2008 SP1 [Standard/Enterprise/Datacenter] 64-bit
Windows Server 2008 SP2 [Standard/Enterprise/Datacenter] 64-bit
Windows Server 2008 R2 [Standard/Enterprise/Datacenter] 64-bit
Windows Server 2008 R2 SP1 [Standard/Enterprise/Datacenter] 64-bit
You can install vSphere Update Manager only on a 64-bit machine.
If the vCenter Server database is installed on the same machine as Update Manager database,
requirements for memory size are higher. For minimum best performance:
Have two or more logical cores, each with a speed of 2GHz.
622
2GB of RAM is required if vSphere Update Manager and vCenter Server are on different
machines
4GB of RAM is required if vSphere Update Manager and vCenter Server are on the same
machine
VMware recommends that you use a Gigabit connection between vSphere Update Manager and
the ESXi hosts. However, a 10/100 Mbps is acceptable.
To install vSphere Update Manager, start the VMware vCenter Installer and click the VMware
vSphere Update Manager link.
Gather information about the environment into which you are installing vSphere Update Manager,
including:
The vCenter Server system that vSphere Update Manager will work with. The necessary
information includes:
The vCenter Server IP address or host name
Port numbers (in most cases, the default Web service ports, 80 and 443, are used)
Administrative credentials (the Administrator account is often used)
The system DNS name plus the user name and password for the database that vSphere Update
Manager will work with.
12
During the installation, you can configure vSphere Update Manager to work with an Internet proxy
server.
Patch Management
The vSphere Update Manager client component is delivered as a plug-in for the vSphere Client.
After installing vSphere Update Manager, install the vSphere Update Manager plug-in in any
vSphere Client that you will use to manage vSphere Update Manager.
In the vSphere Client menu bar, select Plug-ins > Manage Plug-ins. In the Plug-in Manager
window, click Download and Install for the vSphere Update Manager plug-in. The installed plugin appears under Installed Plug-ins.
The disk storage requirements for vSphere Update Manager vary depending on your deployment.
Make sure that you have at least 20GB of free space in which to store patch data. Depending on the
size of your deployment, vSphere Update Manager requires a minimum amount of free space per
month for database usage.
Before installing vSphere Update Manager, you must create a database instance and configure it to
ensure that all vSphere Update Manager database tables are placed in it. vSphere Update Manager
can handle small-scale environments using the bundled SQL Server 2008 R2 Express. For
environments with more than 5 hosts and 50 virtual machines, create either an Oracle or a SQL
Server database for vSphere Update Manager. For large-scale environments, set up the vSphere
Update Manager database on a different computer than the vSphere Update Manager server and the
vCenter Server database.
Module 12 Patch Management
623
You can modify the following administrative settings for vSphere Update Manager. Select Home >
Solutions and Applications > Update Manager and click the Configuration tab:
Network Connectivity: Network settings, such as IP address or host name for patch store.
Download Settings: Where to obtain patches and where to configure the proxy settings.
Download Schedule: How frequently to download patches. This setting has no effect on an
optional download server, which is separate from the vSphere Update Manager server.
Notification Check Schedule: How frequently to check for notifications about patch recalls,
patch fixes, and alerts.
Virtual Machine Settings: Whether to take a snapshot of the virtual machines before
remediation to enable rollback and how long to keep snapshots. Snapshots use disk space, but
they also protect you if the upgrade fails.
ESXi Host/Cluster Settings: How vSphere Update Manager responds to a failure that might
occur when placing an ESXi host in maintenance mode. This setting also allows you to
temporarily disable VMware vSphere Distributed Power Management (DPM), VMware
vSphere High Availability admission control, and VMware vSphere Fault Tolerance for
cluster updates to succeed.
624
vApp Settings: Enable or disable smart reboot of virtual appliances after remediation.
12
Patch Management
625
When you scan hosts, virtual machines, and virtual appliances, you evaluate them against baselines
and baseline groups to determine their level of compliance.
Baselines contain a collection of one or more patches, extensions, bug fixes, or upgrades. Baselines
can be classified as upgrade, extension, or patch baselines.
An extension refers to additional software for ESXi hosts. This additional software might be
VMware software or third-party software. Some examples of extensions include:
Additional features.
Updated drivers for hardware.
Common Information Model (CIM) providers for managing third-party modules on the host.
Improvements to the performance or usability of existing host features.
Baseline types:
Host patch: A set of patches to apply to a host or set of hosts, based on applicability.
Host extension: A fixed set of extensions for your ESXi host.
Host upgrade: An upgrade release that allows you to upgrade hosts to a particular release
version
626
VMware Tools upgrade (to match host): An upgrade release that checks virtual machines for
compliance with the latest Tools version on the host. vSphere Update Manager supports
upgrading of Tools for virtual machines on hosts that are running ESXi 4.0 and later.
Virtual machine hardware upgrade (to match host): An upgrade release that checks the virtual
hardware of a virtual machine for compliance with the latest version supported by the host.
vSphere Update Manager supports upgrading to virtual hardware version 10 on hosts that are
running ESXi 5.x.
Virtual appliance upgrade: A set of patches to the operating system or application in the virtual
appliance.
Baseline groups are assembled from existing baselines. They might contain one upgrade baseline
per type and one or more patch and extension baselines, or a combination of multiple patch and
extension baselines.
Administrators can create, edit, delete, attach, or detach baselines and baseline groups. For large
organizations with different groups or divisions, each group can define its own baselines.
12
Patch Management
627
Creating a Baseline
Slide 12-11
To create a baseline, select Home > Solutions and Applications > Update Manager and click the
Baselines and Groups tab. Click the Create link to start the New Baseline wizard. Enter a name
and description for your baseline. Select one of the five baseline types.
If you are creating a patch baseline, you must also select a patch option: Fixed or Dynamic.
A fixed baseline remains the same even if new patches are added to the repository. With a fixed
patch baseline, the user manually specifies all updates included in the baseline from all the patches
available in vSphere Update Manager. Fixed updates are typically used to check whether systems
are prepared to deal with particular problems. For example, you might use fixed baselines to check
for compliance with patches to prevent computer worms.
A dynamic baseline is updated when new patches meeting the specified criteria are added to the
repository. The criteria that you can specify are patch vendor, product, severity, and release dates. As
the set of available updates changes, dynamic patch baselines are updated as well. You can explicitly
include or exclude an update.
628
Attaching a Baseline
Slide 12-12
12
Although you can attach baselines and baseline groups to individual objects, attaching them to
container objects, such as folders, hosts, clusters, and data centers, is more efficient. Attaching a
baseline to a container object attaches the baseline to all objects in the container. On the slide, a host
patch baseline named ESXi Host Update is attached to a cluster object named Lab Cluster. The host
patch baseline is attached to the two hosts in Lab Cluster: esxi01 and esxi02.
To attach baselines to ESXi hosts
1. Go to the Hosts and Clusters inventory view.
2. Select the object and click the Update Manager tab.
3. Click Attach.
4. Select the baselines or baseline group that you want to attach to the object.
To attach baselines to virtual machines, templates, and virtual appliances, go to the VMs and
Templates inventory view.
629
Patch Management
To view compliance information and remediate objects in the inventory against specific baselines
and baseline groups, attach existing baselines and baseline groups to these objects.
Scanning is the process in which attributes of a set of hosts, virtual machines, or virtual appliances
are evaluated against patches, extensions, and upgrades in the attached baselines and baseline
groups. You can configure vSphere Update Manager to scan virtual machines, virtual appliances,
and ESXi hosts against baselines and baseline groups by scheduling or manually initiating scans to
generate compliance information.
If the object that you select is a container object, all child objects are also scanned. The larger the
virtual infrastructure and the higher up in the object hierarchy that you begin the scan, the longer the
scan takes.
After you have an inventory object attached to a baseline, perform a scan by right-clicking the object
and selecting Scan for Updates. Or click the Scheduled Tasks button and create a scheduled task.
To schedule the scan, select Home > Management > Scheduled Tasks. In the toolbar, click New. In
the Schedule Task dialog box, select the task Scan for Updates. The Schedule a Scan wizard allows
you do define the object to scan, the type of scan to perform, and the time to perform the scan.
A scheduled task is useful because it can automatically scan an object for problems. This scan
catches new objects that do not match a defined baseline. Using a dynamic baseline, instead of a
fixed baseline, discovers new vulnerabilities and needed updates.
630
To upgrade VMware Tools and virtual machine hardware, a supported guest operating system must
be running in the virtual machine. The following list identifies the supported guest operating
systems included with the initial release of vSphere Update Manager 5.5:
Windows XP Professional 32-bit (SP3 required)
Windows XP Professional 64-bit (SP2 required)
Windows 2000 [Professional/Server/Advanced Server/Datacenter Server] 32-bit
Windows 2000 [Professional/Server/Advanced Server/Datacenter Server] 64-bit
Windows Server 2003 [Standard/Enterprise/Datacenter] 32-bit (SP2 required)
Windows Server 2003 [Standard/Enterprise/Datacenter] 64-bit (SP2 required)
Windows Server 2003 R2 [Standard/Enterprise/Datacenter] 32-bit (SP2 required)
Windows Server 2003 R2 [Standard/Enterprise/Datacenter] 64-bit (SP2 required)
Windows Vista [Business/Enterprise] 32-bit (SP2 required)
Windows Vista [Business/Enterprise] 64-bit (SP2 required)
12
Patch Management
631
Debian 4
Debian 5
Debian 6
Ubuntu 7.x
Ubuntu 8.x
Ubuntu 9.x
Ubuntu 10.x
Ubuntu 11.x
SUSE Linux Enterprise Server 8
SUSE Linux Enterprise Server 9
Oracle Enterprise Linux 4
Oracle Enterprise Linux 5
Oracle Enterprise Linux 6
Asianux 3
Asianux 4
632
Viewing Compliance
Slide 12-14
12
The results of the scan provide information on the degree of conformance with baselines and
baseline groups. Information includes the time the last scan was completed at this level and the total
number of compliant and noncompliant baselines. For each baseline or baseline group, the scan
results report the number of virtual machines, appliances, or hosts that are compliant, noncompliant,
or unknown.
On the slide, the hosts in the cluster named Lab Cluster were scanned. After viewing compliance
information, the next step is to remediate the host. Before remediation, you can perform an
additional step on host objects called staging.
Staging allows you to download the patches and extensions from the Update Manager server to the
ESXi hosts, without applying the patches and extensions immediately. Staging patches and
extensions speeds up the remediation process because the patches and extensions are already
available locally on the hosts. You can reduce the downtime during remediation by staging patches
and extensions whose installation requires that a host enter maintenance mode. Staging patches and
extensions itself does not require that the hosts enter maintenance mode.
633
Patch Management
To view compliance of hosts or virtual machines with vSphere Update Manager patch baselines,
select the object in the appropriate inventory view and click the Update Manager tab. To view
virtual machine compliance, you must use the VMs and Templates inventory view.
Remediating Objects
Slide 12-15
You can remediate virtual machines, virtual appliances, and hosts by using either user-initiated
remediation or regularly scheduled remediation. To remediate an object, right-click the inventory
object and select Remediate.
For ESXi hosts in a cluster, the remediation process is sequential, unless there are sufficient
resources available, in which case you can choose to remediate concurrently. When you remediate a
cluster of hosts and one of the hosts fails to enter maintenance mode, vSphere Update Manager
reports an error and the process fails. The hosts in the cluster that did get remediated stay at the
updated level. The ones that were to be remediated after the failed host are not updated. When you
remediate hosts against baseline groups containing an upgrade baseline and patch or extension
baselines, the upgrade is performed.
For multiple clusters under a data center, the remediation processes run in parallel. If the
remediation process fails for one of the clusters in a data center, the remaining clusters are still
remediated.
To remediate virtual machines and virtual appliances together, they must be in one container, such as
a folder, a vApp, or a data center. You must then attach a baseline group or a set of individual virtual
appliance or virtual machine baselines to the container. If you attach a baseline group, it can contain
both virtual machine and virtual appliance baselines. The virtual machine baselines apply to virtual
machines only. The virtual appliance baselines apply to virtual appliances only.
634
12
Patch Management
635
Some updates require that a host enters maintenance mode before remediation. Virtual machines and
appliances cannot run when a host is in maintenance mode.
To reduce the host remediation downtime at the expense of virtual machine availability, you can
choose to shut down or suspend virtual machines and virtual appliances before remediation. In a
VMware vSphere Distributed Resource Scheduler (DRS) cluster, if you do not power off the
virtual machines, the remediation takes longer but the virtual machines are available during the entire
remediation process, because they are migrated with VMware vSphere vMotion to other hosts.
Select Retry entering maintenance mode in case of failure, specify the number of retries, and
specify the time to wait between retries. vSphere Update Manager waits for the retry delay period
and retries putting the host into maintenance mode as many times as you indicate in Number of
retries field.
vSphere Update Manager does not remediate hosts on which virtual machines have connected CD,
DVD, or floppy drives. In clustered environments, connected media devices might prevent vSphere
vMotion if the destination host does not have an identical device or mounted ISO image, which in
turn prevents the source host from entering maintenance mode.
636
The option Disable any removable media devices connected to the virtual machine on the host
exists for this reason. After remediation, vSphere Update Manager reconnects the removable media
devices if they are still available.
The check box under ESXi 5.x Patch Settings to enable vSphere Update Manager to patch
powered-on PXE booted ESXi hosts appears only when you remediate hosts against patch or
extension baselines.
12
Patch Management
637
Remediation of hosts in a cluster requires that you temporarily disable cluster features like DPM and
vSphere HA admission control. You should also turn off vSphere FT if it is enabled on any of the
virtual machines on a host. Disconnect the removable devices connected to the virtual machines on a
host, so that they can be migrated with vSphere vMotion.
Before you start the remediation process, you can generate a report that shows which cluster, host,
or virtual machine is with enabled cluster features. On the Cluster Remediation Options page of the
Remediate wizard, click Generate Report. The Cluster Remediation Options Report shows the
name of the cluster, host, or virtual machine on which a problem is reported. The report also
displays recommendations on how to fix the problem.
638
12
When patches with problems or potential problems are released, these patches are recalled in the
metadata, and vSphere Update Manager marks them as recalled. If you try to install a recalled patch,
vSphere Update Manager notifies you that the patch is recalled and does not install it on the host. If
you have already installed such a patch, vSphere Update Manager notifies you that the recalled
patch is installed on certain hosts. vSphere Update Manager also deletes all the recalled patches
from the vSphere Update Manager patch repository.
When a new patch is released, vSphere Update Manager downloads it and prompts you to install it
to fix the problems that the recalled patch might cause. If you try to install the recalled patch,
vSphere Update Manager alerts you that the patch is recalled and that you must install a fix.
639
Patch Management
Typically, hosts are put into maintenance mode before remediation if the update requires it. Virtual
machines cannot run when a host is in maintenance mode. vCenter Server migrates the virtual
machines to other hosts in a cluster before the noncompliant host is put in maintenance mode.
vCenter Server can migrate the virtual machines if the cluster is configured for vSphere vMotion
and if DRS and Enhanced vMotion Compatibility (EVC) are enabled. EVC is not a prerequisite for
vSphere vMotion migration. EVC guarantees that the CPUs of the hosts are compatible. For other
containers or individual hosts that are not in a cluster, migration with vSphere vMotion cannot be
performed.
vSphere Update Manager 5.x can patch and upgrade your ESXi hosts based on available cluster
capacity and can remediate an optimal number of ESXi hosts simultaneously without virtual
machine downtime. Additionally, for scenarios where turnaround time is more important than virtual
machine uptime, you have the choice to remediate all ESXi hosts in a cluster simultaneously.
640
12
The Web Client can be used to view scan results for patch baselines that are created using vSphere
Client. Actions such as creating baselines and remediating hosts must be performed from vSphere
Client.
The vSphere Web Client can be used for the following tasks:
Attach and detach baselines and baseline groups from a selected inventory object
View compliance and scan results for each selected inventory object
Scan a selected inventory object
641
Patch Management
In vSphere 5.5, when the vSphere Update Manager server component is installed, the vSphere Web
Client is automatically updated to vSphere Update Manager information. The vSphere Update
Manager entry appears under the Monitor tab of the Web Client.
642
12
Patch Management
643
Key Points
Slide 12-23
644