Here we are with the final steps about upgrading our homelab to the latest VMware release. In this stage we are going to install the latest vSphere patches. In the past we have previously seen the steps on how to do this using the command line with vSphere 6.0. In this case we are going to use VMware Update Manager now built into the VCSA 6.7 appliance. And everything is a lot easier.
So to do a quick recap of the previous steps to get to the latest VMware version here it is a quick list with links:
- Upgrade VMware VCSA 6.5 to 6.7
- Update VMware VCSA to latest release
- Upgrade VMware vSphere Hosts to version 6.7
At this point we are ready to install latest VMware vSphere patches with VMware Update Manager. How does it work? Pretty simple. Similarly to what we have already seen for the vSphere Hosts upgrade, it’s a matter of creating a new Baseline for patches. By default the VMware Update Manager is already shipping with 2 default Baselines which cover both critical and non-critical patches. These are not customisable.
The idea is to create custom Baseline with specific vSphere patches. For example since we have already upgraded the Host to version 6.7 and considering the vSphere patches are cumulative there is no need to install all of them but just the latest ones. This is interesting because it is possible to create a Baseline Group which couples a specific Host version with the very latest vSphere patches.
In this article we are going to see this vSphere update process including the changes to an existing custom Baseline.
How to install latest VMware vSphere patches
VMware Update Manager (VUM) is the module we’ll use to create the Baseline and remediate the vSphere Hosts with the latest patches. Let’s navigate to Home > Update Manager from the vSphere Client and choose a vSphere Host. From here we can review the current build installed. Let’s hit on Update Manager Home and create / review the Baselines.
In the Home tab there is a view of information like Hosts, Non-compliant ones and attached Baselines.
Let’s move to the Baselines to review and eventually create new custom ones. In my example I have already created a couple of these to cover the vSphere patches and Host upgrades. At the time of writing the patch Baseline automatically includes 7 patch definitions showing in the lower part of the screen.
Let’s edit this Baseline and review settings. Everything is wizard driven and all we need to do is to initially provide name and description. I would advise using a naming convention as the overall will look a lot cleaner especially in big environments with many Baselines for several purposes.
In the automatic patches selection we can define the criteria for which downloaded patch definitions will be automatically added to the Baseline. It is one of the reason why constant internet access from the VUM is important in order to get the latest definitions. In particular the ones that are more frequent are the ones for vSAN environments. At the time of writing with the configuration as per screenshot below reveals 7 patches in total for VMware ESXi 6.7.0.
In the next step we can also manually include other patches to the Baseline. I find this option useful when creating Baselines for Extensions instead as we can add for example patches to drivers and other VIBs installed on the vSphere Hosts.
And a final summary with the option to review and amend changes.
At this point from the Updates tab for each definition we can also see the associated Baselines.
From the Baseline tab we can associate a vSphere Host to start the staging and remediation process.
When browsing the Host > Updates section we can see the associated Baselines. Ideally we can initiate the staging process and then remediate the Host.
Thing is this Baseline includes all patches (7) and knowing these are cumulative updates should we really need to install all of them? What we can do instead is to edit the custom Baseline to include only vSphere patches published on or after a specific date. In this case I’m choosing the date of 26th of July 2018 in order to get the latest cumulative updates only. The Baseline now shows 3 vSphere patches out of 7.
Let’s start by staging locally the patches onto the vSphere Host.
The process will run in the background and visible from the recent tasks panel.
At this point we are ready to remediate the vSphere Host. In addition the wizard shows the remediation settings with default values:
- Allow Quick Boot Yes
- VM Power state –
- Disable removable media devices that might prevent a host from entering maintenance mode No
- Retry entering maintenance mode in case of failure Yes
- Retry delay (minutes) 5
- Number of retries 3
- Allow installation of additional software on PXE booted hosts No
- Disable Distributed Power Management (DPM) Yes
- Disable High Availability Admission Control No
- Disable Fault Tolerance (FT) No
- Enable parallel remediation for hosts in cluster No
- Migrate powered off and suspended VMs to other hosts in the cluster, if a host must enter maintenance mode
According to the remediation settings the installation will:
- Enter Host in maintenance mode
- Install vSphere patches
- Check patches
- Initiate Host reboot
- Exit maintenance mode
At this point we are now ready to install vSphere patches on the remaining Hosts and make them compliant as well.