Technical Information
asked on
VMware 6.5 Host Patching
Hi
I have a ESXi host running 6.5. I used VUM to find patches. Am I OK to just install them all?
Will it cause issues?
Please see attachment for updates
Thanks
Capture.JPG
I have a ESXi host running 6.5. I used VUM to find patches. Am I OK to just install them all?
Will it cause issues?
Please see attachment for updates
Thanks
Capture.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Okay, so you are currently at - ESXi 6.5 U2c
latest is Build 10884925 (which is sort of Patch "12")
You already have those patches applied, but here is the link
https://kb.vmware.com/s/article/56547
https://kb.vmware.com/s/article/55806
So you are okay to update.
latest is Build 10884925 (which is sort of Patch "12")
You already have those patches applied, but here is the link
https://kb.vmware.com/s/article/56547
https://kb.vmware.com/s/article/55806
So you are okay to update.
ASKER
Brilliant, thanks for the information.
so im ok to just tick them all and proceed?
so im ok to just tick them all and proceed?
Yes....proceed.
ASKER
Thanks so much!
no problems
Please be aware that occassionally VMware does pull patches and issue some emergency fixes. Due to this, I find it rather important to ensure to have some sort of logic applied to your patching schedule to be safe. This is a great website to reference that outlines whats in every patch: https://esxi-patches.v-front.de/ESXi-6.5.0.html
There are also links for 6.7, 6.0 and other versions there but it helps to find out what is being patched. For example, sometimes a patch is issues where it is bugfixes mostly for vsan which we currently are not using, therefore it was not as urgent for us to get this patched.
Additionally, due to security compliance internally at my company, we created a schedule on when things would get patched. Within 30 days of a patch release, our test cluster will be patched. Within 90 days of that our production will be patched with it. This is assuming you have the luxury of a test environment, but at least having some sort of window of 90 days can mitigate the problems that come across when patches are released that might cause more harm than good.
One VUM feature to use is the ability to list patches based on date. You can specify to only show patches from 30 days ago and prior this way you are not getting the latest patch in order to avoid any potential issue.
There are also links for 6.7, 6.0 and other versions there but it helps to find out what is being patched. For example, sometimes a patch is issues where it is bugfixes mostly for vsan which we currently are not using, therefore it was not as urgent for us to get this patched.
Additionally, due to security compliance internally at my company, we created a schedule on when things would get patched. Within 30 days of a patch release, our test cluster will be patched. Within 90 days of that our production will be patched with it. This is assuming you have the luxury of a test environment, but at least having some sort of window of 90 days can mitigate the problems that come across when patches are released that might cause more harm than good.
One VUM feature to use is the ability to list patches based on date. You can specify to only show patches from 30 days ago and prior this way you are not getting the latest patch in order to avoid any potential issue.
ASKER
Evening,
I got stuck patching my host. I forgot that in order to remediate using VUM my vcenter server would need to be moved off the host.
Unfortunately I don't have another host.
How can I update using CLI?
Thanks
I got stuck patching my host. I forgot that in order to remediate using VUM my vcenter server would need to be moved off the host.
Unfortunately I don't have another host.
How can I update using CLI?
Thanks
ah, well that's an issue if you only have a single host!
you cannot use VUM...
so you'll have to do this...
1. Power down ALL VMs (of move to another host you don't have)
2. Connect via SSH remotely or at the console
3. Enter maintenance mode.
and type the following at the bash prompt
if your host has Internet..
shutdown and restart the host, and exit maintenance mode.
you cannot use VUM...
so you'll have to do this...
1. Power down ALL VMs (of move to another host you don't have)
2. Connect via SSH remotely or at the console
3. Enter maintenance mode.
and type the following at the bash prompt
esxcli network firewall ruleset set -e true -r httpClient
esxcli software profile update -p ESXi-6.5.0-20181104001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
esxcli network firewall ruleset set -e false -r httpClient
if your host has Internet..
shutdown and restart the host, and exit maintenance mode.
ASKER
Thanks
I ended up downloading the latest patches from vmware uploading them to the datastore and installing using esxcli software profile update -d
Thanks for everything!
I ended up downloading the latest patches from vmware uploading them to the datastore and installing using esxcli software profile update -d
Thanks for everything!
Well that's another way just slower....like my article states... just use the correct files (updates)
HOW TO: Update VMware ESXi 6.0.0 GA to ESXi 6.0.0b in 5 easy steps
HOW TO: Update VMware ESXi 6.0.0 GA to ESXi 6.0.0b in 5 easy steps
ASKER
Would you know by looking at the CPUs?
I'm on build VMware ESXi, 6.5.0, 9298722
My CPU is Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz