Updating firmware and OS on ESXi 6.5 hosts

Alex
Alex used Ask the Experts™
on
Afternoon all,

So, after finding out how bad it was at this new role when it came to updating their firmware and hosts, I've now got the pleasure of doing it. They have accepted that it's pretty bad but we're also running a version of 6.5 from November 2016........

So, my question is this, I need to know the best way to update these boxes, I'm doing the entire firmware stack for all the hardware and then grabbing the latest esx 6.5 version and then bashing through the entire cluster.

I'm thinking this

Drop the server into maintenance mode, actually, manually move off the VM's and then go to Maintenance mode. I put one in 3 days ago and it purple screened.

NExt up, update the hardware BIOS

Then update the OS

Bring it out of maintenance mode

Move the VM's back, move onto the next host. Rinse and Repeat.

Is this is the best way to do it or is there a better way?

Thanks
Alex
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017
Commented:
BEFORE we discuss your "plan" you will want to check what firmware you are updating and does this include

Spectre and Meltdown, and also the latest Intel CPU fix...(Intel Foreshadow)

and create a PLAN....(also including vCenter Server, all VMs, ALL VMware Tools, and ALL Virtual Machine versions)....

because it ALL has a performance impact on your Cluster!

So WHY and WHAT do you want to achieve with patching ?

I've already answered, questions about this...

latest fix...

https://www.experts-exchange.com/questions/29114650/Intel-Vulnerability-Foreshadow-L1-Terminal-Fault.html

https://www.experts-exchange.com/questions/29115252/Configuration-issue-on-host-after-vSphere-updates-applied-in-vsn-6-0.html

Spectre and Meltdown

https://www.experts-exchange.com/questions/29106689/Check-ESXi-status-against-Meltdown-and-Spectre.html

https://www.experts-exchange.com/questions/29079163/ESXI-6-Meltdown-and-Spectra-patches.html



DO NOT RANDOMLY APPLY VMWARE VSPHERE PATCHES WITHOUT A PLAN!!!!


If you want to fully apply patches for Spectre and Meltdown, also includes BIOS in Host, vCenter Server update, ESXi updates, VMware Tools per VM, Virtual Machine version Upgrade, and then Guest OS VM.

and also check performance impact! (which may require more Hosts after CPU microcode change).

and then there is Latest....which requires a script running
AlexSenior Infrastructure Analyst

Author

Commented:
Well currently they are using an OS which was withdrawn from public availability due to instability issues.

Essentially, I want it updated to a stable version. I'd like to get the spectre and meltdown patches as well. Updating to ESX 6.5 update 2 would be fine to be honest. However if you have a more reliable option I'd happily take a look.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
With the current Intel flaws, all need to be addressed, otherwise you might as well not bother with anything!

You'll need to start with Upgrading vCenter Server anyway, if present.

and then... look at posts above, but update firmwares and BIOS first.

Rotation can be done, e.g. move/migrate/turn off/maintenance mode - apply fixes to host, then repeat.

BUT read all above, as to what you need to do....it's not really just apply fix and run away at preset....
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

AlexSenior Infrastructure Analyst

Author

Commented:
OK so lets say I'll get everything updated including all the firmware, OS and spectre/meltdown etc. What would be the best way to do it? I'm thinking BIOS first, then the OS.

Thanks
Alex
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
cross posted.. see above.
AlexSenior Infrastructure Analyst

Author

Commented:
Oh wonderful :D thank you so much as always :D

Legend..... wait for it..... DARY!!!!!
AlexSenior Infrastructure Analyst

Author

Commented:
Would it be an idea to push through to VCSA 6.7 or is that licenced separately from 6.5
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Andrew said it best, "DO NOT RANDOMLY APPLY VMWARE VSPHERE PATCHES WITHOUT A PLAN!!!!"
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
All 6.x use the same license.

Unless you have a valid reason for moving up to 6.7, I would stick with VCSA 6.5 for the time being, plenty of life in 6.5, which has the same end of support date as 6.7.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial