Patch Management Module 13
You Are Here Course Introduction Introduction to Virtualization Creating Virtual Machines VMware vcenter Server Configuring and Managing Virtual Networks Configuring and Managing vsphere Storage Virtual Machine Management Data Protection Access and Authentication Control Resource Management and Monitoring High Availability and Fault Tolerance Host Scalability Patch Management Installing VMware vsphere Components 13-2
Importance Over time, your VMware vsphere environment might undergo change in its hardware or software configuration, or in the form of software updates or patches. From a manageability and scalability perspective, you should implement changes to your vsphere environment in an orderly, controlled, and systematic fashion. 13-3
Learner Objectives After this module, you should be able to do the following: Describe VMware vsphere Update Manager. List the steps to install Update Manager. Use Update Manager: Create and attach a baseline. Scan an inventory object. Remediate an inventory object. 13-4
Update Manager Update Manager enables centralized, automated patch and version management for VMware vsphere ESXi hosts, virtual machine hardware, VMware Tools, and virtual appliances. Update Manager reduces security risks: Reduces the number of vulnerabilities. Eliminates many security breaches that exploit older vulnerabilities. Update Manager reduces the diversity of systems in an environment: Makes management easier Reduces security risks Update Manager keeps machines running more smoothly: Patches include bug fixes Makes troubleshooting easier 13-5
Update Manager Capabilities Enables cross-platform upgrade from VMware ESX to ESXi Automated patch downloading: Begins with information-only downloading Is scheduled at regular configurable intervals Contacts the following sources for patching ESXi hosts: For VMware patches: https://hostupdate.vmware.com For third-party patches: URL of third-party source Creation of baselines and baseline groups Scanning: Inventory systems are scanned for baseline compliance. Remediation: Inventory systems that are not current can be automatically patched. Reduces the number of reboots required after VMware Tools updates 13-6
Update Manager Components VMware vcenter Server system database server hosts vcenter Server database optional download server patch database Update Manager server VMware vsphere Client with Update Manager plug-in Internet patch database third-party patch source VMware patch source 13-7
Installing Update Manager Update Manager must be installed on a Windows 64-bit machine. To install, start the VMware vcenter Installer and click VMware vsphere Update Manager. Information needed during the installation: vcenter Server host name, user name, and password Choice of database: use default or existing database Update Manager port settings: Host name, ports, proxy settings (if necessary) Destination folder and location for downloading patches To install the Update Manager client: Install the Update Manager Extension plug-in into the vsphere Client. 13-8
Configuring Update Manager Settings By default, all patch sources are enabled. Additional patch sources can be added if necessary. Modify Update Manager configuration properties. 13-9
Baseline and Baseline Groups A baseline consists of one or more patches, extensions, or upgrades. Five types of baselines: Host patch Host extension Host upgrade Virtual machine upgrade for hardware or VMware Tools Virtual appliance upgrade Update Manager includes a number of default baselines. example of default baselines for hosts A baseline group consists of multiple baselines: Can contain one upgrade baseline per type and one or more patch and extension baselines 13-10
Creating a Baseline To create a baseline: 1. Click Create. 2. Specify name and description. 3. Choose a baseline type. 4. For a patch baseline, select a patch option: Fixed or Dynamic. 5. Select patches to add to the baseline. A host patch is added to this baseline. 13-11
Attaching a Baseline To view compliance information and remediate inventory objects, first attach a baseline or baseline group to an object. For improved efficiency, attach a baseline to a container object instead of to an individual object. 13-12
Scanning for Updates Scanning evaluates the inventory object against the baseline or baseline group. A scan can be performed manually or automatically, using a scheduled task. 13-13
Viewing Compliance In this example, the scan found two noncompliant hosts. After the scan, patches and updates can be staged first and then remediated at a later time. 13-14
Remediating Objects You can remediate virtual machines, templates, virtual appliances, and hosts. You can perform the remediation immediately or schedule it for a later date. 13-15
Maintenance Mode and Remediation Option for PXE-booted ESXi 5.0 Power off or suspend virtual machines 13-16
Remediation Options for a Cluster When remediating hosts in a cluster, you must temporarily disable certain cluster features: VMware vsphere Distributed Power Management, VMware vsphere High Availability, and VMware vsphere Fault Tolerance. You can generate a report that identifies problems before remediation occurs. 13-17
Patch Recall Notification At regular intervals, Update Manager contacts VMware to download notifications about patch recalls, new fixes, and alerts. Notification Check Schedule is selected by default. On receiving patch recall notifications, Update Manager: Generates a notification in the notification tab No longer applies the recalled patch to any host: Patch is flagged as recalled in the database. Deletes the patch binaries from its patch repository Does not uninstall recalled patches from ESXi hosts: Instead, it waits for a newer patch and applies that to make a host compliant. 13-18
Remediation Enabled for DRS Eliminate downtime for virtual machines when patching ESXi hosts: 1. Update Manager puts host in maintenance mode. 2. VMware vsphere Distributed Resource Scheduler moves virtual machines to available host. 3. Update Manager patches host and then exits maintenance mode. 4. DRS moves virtual machines back per rule. UM + DRS! maintenance mode 13-19
Lab 23 In this lab, you will install, configure, and use Update Manager. 1. Install Update Manager. 2. Install the Update Manager plug-in into the vsphere Client. 3. Modify cluster settings. 4. Configure Update Manager. 5. Create a patch baseline. 6. Attach a baseline and scan for updates. 7. Stage the patches onto the ESXi hosts. 8. Remediate the ESXi hosts. 13-20
Review of Learner Objectives You should be able to do the following: Describe Update Manager. List the steps to install Update Manager. Use Update Manager: Create and attach a baseline. Scan an inventory object. Remediate an inventory object. 13-21
Key Points Update Manager patches and updates ESXi 5.1 hosts as well earlier versions of hosts, virtual machines, templates, and virtual appliances. Update Manager reduces security vulnerabilities by keeping systems up to date and by reducing the diversity of systems in an environment. Update Manager no longer patches guest operating systems or the applications running within guest operating systems. Questions? 13-22