So here we are on to Objective 4, starting with Objective 4.1 – Perform ESXi Host and Virtual Machine Upgrades. As always this article is linked to from the main VCP6.5-DCV Blueprint.
Objective 4.1 – Perform ESXi Host and Virtual Machine Upgrades
Configure download source(s)
You can configure the Update Manager server to download patches and extensions for ESXi hosts or upgrades for virtual appliances either from the Internet or from a shared repository of UMDS data. You can also import patches and extensions for ESXi hosts manually from a ZIP file.
If your deployment system is connected to the Internet, you can use the default settings and links for downloading upgrades, patches, and extensions to the Update Manager repository. You can also add URL addresses to download virtual appliance upgrades or third-party patches and extensions. Third-party patches and extensions are applicable only to hosts that are running ESXi 5.0 and later.
Downloading host patches from the VMware Web site is a secure process.
- Patches are cryptographically signed with the VMware private keys. Before you try to install a patch on a host, the host verifies the signature. This signature enforces the end-to-end protection of the patch itself, and can also address any concerns about patch download.
- Update Manager downloads patch metadata and patch binaries over SSL connections. Update Manager downloads patch metadata and patch binaries only after verification of both the validity of the SSL certificates and the common name in the certificates. The common name in the certificates must match the names of the servers from which Update Manager downloads patches.
If your deployment system is not connected to the Internet, you can use a shared repository after downloading the upgrades, patches, and extensions by using Update Manager Download Service (UMDS).
Changing the download source from a shared repository to Internet, and the reverse, is a change in the Update Manager configuration. Both options are mutually exclusive. You cannot download updates from the Internet and a shared repository at the same time. To download new data, you must run the VMware vSphere Update Manager Download task. You can start the task by clicking the Download Now button at the bottom of the Download Sources pane.
If the VMware vSphere Update Manager Update Download task is running when you apply the new configuration settings, the task continues to use the old settings until it completes. The next time the task to download updates starts, it uses the new settings.
With Update Manager, you can import both VMware and third-party patches or extensions manually from a ZIP file, also called an offline bundle. Import of offline bundles is supported only for hosts that are running ESXi 5.0 and later. You download the offline bundle ZIP files from the Internet or copy them from a media drive, and save them on a local or a shared network drive. You can import the patches or extensions to the Update Manager patch repository later. You can download offline bundles from the VMware Web site or from the Web sites of third-party vendors.
Offline bundles contain one metadata.zip file, one or more VIB files, and optionally two .xml files, index.xml and vendor-index.xml. When you import an offline bundle to the Update Managerpatch repository, Update Manager extracts it and checks whether the metadata.zip file has already been imported. If the metadata.zip file has never been imported, Update Manager performs sanity testing, and imports the files successfully. After you confirm the import, Update Manager saves the files into the Update Manager database and copies the metadata.zip file, the VIBs, and the .xml files, if available, into the Update Manager patch repository.
Set up UMDS to set up download repository
If you use the Internet as a download source for updates, you can add a third-party URL address to download virtual appliance upgrades, and patches and extensions for hosts that are running ESXi5.5 and later.
Required privileges: VMware vSphere Update Manager > Configure
- In the Home view of the vSphere Web Client, select the Update Manager icon.
- From the Objects tab, select an Update Manager instance.
The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.
- Click the Manage tab.
- Click Settings, and select Download Setings.
- In the Download Sources pane, click Edit.
An Edit Download Sources dialog box opens.
- Select the option Use direct connection to Internet.
- Click Add.
An Add Download Source dialog box opens.
- Enter a URL to a new download source.
Update Manager supports both HTTP and HTTPS URL addresses. Use HTTPS URL addresses, so that the data is downloaded securely. The URL addresses that you add must be complete and contain the index.xml file, which lists the vendor and the vendor index.
- Type a short description for the URL, and click OK.
The vSphere Web Client performs validation of the URL.
- Click OK to close the Edit Download Sources dialog box.
- In the Download Sources pane, click Download Now to run the Download patch definitions task.
All notifications and updates are downloaded immediately even if the Enable scheduled download check box is selected in Configure > Notification Check Schedule or Configure > Download Schedule, respectively.
Import ESXi images
You can upgrade the hosts in your environment to ESXi 6.5 by using host upgrade baselines. To create a host upgrade baseline, you must first upload at least one ESXi 6.5 .iso image to the Update Manager repository.
With Update Manager 6.5 you can upgrade hosts that are running ESXi 5.5 or ESXi 6.0 to ESXi 6.5. Host upgrades to ESXi 5.0, ESXi 5.1, ESXi 5.5, or ESXi 6.0 are not supported.
Before uploading ESXi images, obtain the image files from the VMware Web site or another source. You can create custom ESXi images that contain third-party VIBs by using vSphere ESXi Image Builder. For more information, see Customizing Installations with vSphere ESXi Image Builder.
You can upload and manage ESXi images from the ESXi Images tab of the Update Manager Administration view.
ESXi images that you import are kept in the Update Manager repository. You can include ESXi images in host upgrade baselines. To delete an ESXi image from the Update Manager repository, first you must delete the upgrade baseline that contains it. After you delete the baseline, you can delete the image from the ESXi Images tab.
Create Baselines and/or Baseline groups
Baselines contain a collection of one or more patches, extensions, service packs, bug fixes, or upgrades, and can be classified as patch, extension, or upgrade baselines. Baseline groups are assembled from existing baselines.
Host baseline groups can contain a single upgrade baseline, and various patch and extension baselines.
Virtual machine and virtual appliance baseline groups can contain up to three upgrade baselines: one VMware Tools upgrade baseline, one virtual machine hardware upgrade baseline, and one virtual appliance upgrade baseline.
When you scan hosts, virtual machines, and virtual appliances, you evaluate them against baselines and baseline groups to determine their level of compliance.
Update Manager includes two predefined patch baselines and three predefined upgrade baselines. You cannot edit or delete the predefined virtual machine and virtual appliance upgrade baselines. You can use the predefined baselines, or create patch, extension, and upgrade baselines that meet your criteria. Baselines you create, and predefined baselines, can be combined in baseline groups. For more information about creating and managing baselines and baseline groups
Update Manager supports different types of baselines that you can use when scanning and remediating objects in your inventory.
- Update Manager Default Baselines
Update Manager includes default baselines that you can use to scan any virtual machine, virtual appliance, or host to determine whether the hosts in your environment are updated with the latest patches, or whether the virtual appliances and virtual machines are upgraded to the latest version.
- Baseline Groups
Baseline groups can contain patch, extension, and upgrade baselines. The baselines that you add to a baseline group must be non-conflicting.
Attach Baselines to vSphere objects
To view compliance information and scan objects in the inventory against baselines and baseline groups, you must first attach existing baselines and baseline groups to these objects. You can attach baselines and baseline groups to objects.
- Required privileges: VMware vSphere Update Manager > Manage Baselines > Attach Baseline.
- Select the type of object in the vSphere Web Client object navigator.
For example, Hosts and Clusters or VMs and Templates, and select an object or a container object.
- Select the Update Manager tab.
- In the Attach Baseline or Baseline Group window, select one or more baselines or baseline groups to attach to the object.
If you select one or more baseline groups, all baselines in the groups are selected. You cannot deselect individual baselines in a group.
- Create a baseline or a baseline group, if the existing baselines and groups do not match your task, and complete the remaining steps in the respective wizard.
The Attach Baseline or Group window collapses to the Work In Progress pane, and the respective New Baseline Group window or New Baseline Group window opens. When you complete the steps to create the baseline or the baseline group, the Attach Baseline or Group window reopens.
- Click OK.
Scan vSphere objects
Scanning is the process in which attributes of a set of hosts, virtual machines, or virtual appliances are evaluated against the patches, extensions, and upgrades included in the attached baselines and baseline groups.
You can configure Update Manager to scan virtual machines, virtual appliances, and ESXi hosts by manually initiating or scheduling scans to generate compliance information. To generate compliance information and view scan results, you must attach baselines and baseline groups to the objects you scan.
To initiate or schedule scans, you must have the Scan for Applicable Patches, Extensions, and Upgrades privilege.
You can scan vSphere objects from the Update Manager Client Compliance view.
Stage Patches and Extensions
Staging allows you to download the patches and extensions from the Update Manager server to the ESXi hosts, without applying the patches and extensions immediately. Staging patches and extensions speeds up the remediation process because the patches and extensions are already available locally on the hosts.
To stage patches or extensions to hosts, first attach a patch or extension baseline or a baseline group containing patches and extensions to the host.
To stage patches or extensions to ESXi hosts, you need the Stage Patches and Extensions privilege. For more information about managing users, groups, roles, and permissions,
You can reduce the downtime during remediation, by staging patches and extensions whose installation requires that a host enters maintenance mode. Staging patches and extensions itself does not require that the hosts enter maintenance mode.
Patches cannot be staged if they are obsoleted by patches in the baselines or baseline groups for the same stage operation. Update Manager stages only patches that it can install in a subsequent remediation process, based on the present scan results of the host. If a patch is obsoleted by patches in the same selected patch set, the obsoleted patch is not staged.
If a patch is in conflict with the patches in the Update Manager patch repository and is not in conflict with the host, after a scan, Update Manager reports this patch as a conflicting one. You can stage the patch to the host and after the stage operation, Update Manager reports this patch as staged.
During the stage operation, Update Manager performs prescan and postscan operations, and updates the compliance state of the baseline.
After you stage patches or extensions to hosts, you should remediate the hosts against all staged patches or extensions.
After a successful remediation of hosts, the host deletes all staged patches or extensions from its cache regardless of whether they were applied during the remediation. The compliance state of patches or extensions that were staged but not applied to the to the hosts reverts from Staged to its previous value.
- Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which Update Manager is registered.
vSphere Web Client
Select Home > Hosts and Clusters.
From the inventory object navigator, right-click a datacenter, a cluster, or a host, and select Update Manager > Stage Patches.
Select Home > Inventory > Hosts and Clusters, in the navigation bar.
From the object navigator, right-click a datacenter, a cluster, or a host, and select Stage Patches.
The Stage Patches wizard opens.
- On the Baseline Selection page of the Stage wizard, select the patch and extension baselines to stage.
- Select the hosts where patches and extensions will be applied and click Next.
If you select to stage patches and extensions to a single host, it is selected by default.
- Deselect the patches and extensions to exclude from the stage operation.
- To search within the list of patches and extensions, enter text in the text box in the upper-right corner.
- Click Next.
- Review the Ready to Complete page and click Finish.
Remediate an object
You can manually remediate virtual machines and virtual appliances at the same time against baseline groups containing upgrade baselines. You can also schedule a remediation operation at a time that is convenient for you.
To remediate virtual machines and virtual appliances together, they must be in one container, such as a folder, vApp, or a datacenter. You must then attach a baseline group or a set of individual virtual appliance or virtual machine baselines to the container. If you attach a baseline group, it can contain both virtual machine and virtual appliance baselines. The virtual machine baselines apply to virtual machines only, and the virtual appliance baselines apply to virtual appliances only.
During remediation, virtual appliances must be able to connect to the Update Manager server. Ensure that the proxy configuration of virtual appliances lets them connect to the Update Manager server.
With Update Manager you can remediate templates. A template is a master copy of a virtual machine that can be used to create and provision new virtual machines.
You can set up automatic upgrades of VMware Tools on power cycle for virtual machines.
Update Manager handles host patches in the following ways:
- If a patch in a patch baseline requires the installation of another patch, Update Manager detects the prerequisite in the patch repository and installs it together with the selected patch.
- If a patch is in conflict with other patches that are installed on the host, the conflicting patch might not be installed or staged. However, if another patch in the baseline resolves the conflicts, the conflicting patch is installed. For example, consider a baseline that contains patch A and patch C, and patch A conflicts with patch B, which is already installed on the host. If patch C obsoletes patch B, and patch C is not in conflict with patch A, the remediation process installs patches A and C.
- If a patch is in conflict with the patches in the Update Manager patch repository and is not in conflict with the host, after a scan, Update Manager reports this patch as a conflicting one. You can stage and apply the patch to the host.
- When multiple versions of the same patch are selected, Update Manager installs the latest version and skips the earlier versions.
During patch remediation, Update Manager automatically installs the prerequisites of patches.
With Update Manager 6.0, you can remediate hosts of version ESXi 5.x against offline bundles that you have imported manually.
You can stage patches before remediation to reduce host downtime.
Upgrade a vSphere Distributed Switch
- In the vSphere Web Client, navigate to the distributed switch.
- Right-click the distributed switch and select Upgrade > Upgrade Distributed Switch.
- Select the vSphere Distributed Switch version that you want to upgrade the switch to and click Next.
Compatible with ESXi version 6.0 and later.
Compatible with ESXi version 5.5 and later. Features released with later vSphere Distributed Switch versions are not supported.
Compatible with ESXi version 5.1 and later. Features released with later vSphere Distributed Switch versions are not supported.
- Review host compatibility and click Next.
Some ESXi instances that are connected to the distributed switch might be incompatible with the selected target version. Upgrade or remove the incompatible hosts, or select another upgrade version for the distributed switch.
- Complete the upgrade configuration and click Finish.
Upgrade VMware Tools
You can upgrade VMware Tools manually, or you can configure virtual machines to check for and install newer versions of VMware Tools.
The guest operating system checks the version of VMware Tools when you power on a virtual machine. The status bar of the virtual machine displays a message when a new version is available.
In Windows virtual machines, you can set VMware Tools to notify you when an upgrade is available. If this notification option is enabled, the VMware Tools icon in the Windows taskbar includes a yellow caution icon when a VMware Tools upgrade is available.
To install a VMware Tools upgrade, you can use the same procedure that you used for installing VMware Tools the first time. Upgrading VMware Tools means installing a new version.
For Windows and Linux guest operating systems, you can configure the virtual machine to automatically upgrade VMware Tools. Although the version check is performed when you power on the virtual machine, on Windows guest operating systems, the automatic upgrade occurs when you power off or restart the virtual machine. The status bar displays the message Installing VMware Tools … when an upgrade is in progress.
or vSphere virtual machines, you can use one of the following processes to upgrade multiple virtual machines at the same time.
You can use one of the following processes to upgrade multiple virtual machines at the same time.
- Log in to vCenter Server, select a host or cluster, and on the Virtual Machines tab specify the virtual machines on which to perform a VMware Tools upgrade.
- Use Update Manager to perform an orchestrated upgrade of virtual machines at the folder or datacenter level.
Some features in a particular release of a VMware product might depend on installing or upgrading to the version of VMware Tools included in that release. Upgrading to the latest version of VMware Tools is not always necessary, however, VMware highly recommends that you upgrade to the most updated version of the VMware Tools. Newer versions of VMware Tools are compatible with several ESXi host versions. To avoid unnecessary upgrades, evaluate whether the added features and capabilities are necessary for your environment. See vSphere Virtual Machine Administration. However, VMware highly recommends installing and using the latest version of VMware Tools.
Some features in a particular release of a VMware product might depend on installing or upgrading to the version of VMware Tools included in that release. Upgrading to the latest version of VMware Tools is not always necessary. Newer versions of VMware Tools are compatible with several host versions. To avoid unnecessary upgrades, evaluate whether the added features and capabilities are necessary for your environment.
Upgrade Virtual Machine hardware
You can upgrade the hardware version of virtual machines to the latest version of ESXi in use. For virtual machines that are running on ESXi 5.x, VMware recommends that you upgrade the virtual hardware to the latest available version
- Start the vSphere Client or vSphere Web Client and log in to the vCenter Server.
- Power off the virtual machine.
- Right-click the virtual machine and select the menu option to upgrade virtual hardware:
In the vSphere Client, the option is Upgrade Virtual Hardware.
In the vSphere Web Client, the option is Compatibility > Upgrade VM Compatibility.
The virtual hardware is upgraded to the latest supported version.
- Click Yes to continue with the virtual hardware upgrade.
- Power on the virtual machine.
- For Windows guest operating systems, reboot the guest operating system to make the changes take effect.
Upgrade an ESXi Host using vCenter Update Manager
When you upgrade an ESXi 5.5 or ESXi 6.0 host to ESXi 6.5, all supported custom VIBs remain intact on the host after the upgrade, regardless of whether the VIBs are included in the installer ISO.
When you perform a host scan, the target host is scanned against a set of VIBs from the upgrade image. If you scan hosts against an upgrade baseline that contains an ISO image of the same version as the target host, Update Manager displays Compliant or Non-compliant scan result. If the upgrade image is the basic one distributed by VMware, or is a custom ISO image that contains the same set of VIBs as the ones already installed on the target host, the scan result is Compliant. If the upgrade ISO contains VIBs that are of different kind or version than the target host, the scan result is Non-compliant.
The remediation process of ESXi 5.5 or ESXi 6.0 host to ESXi 6.5 image is an upgrade process.
You can also use an ISO 6.5 image in an upgrade operation of an ESXi 6.5 host. The remediation process of ESXi 6.5 host by using ESXi 6.5 image with additional VIBs is equivalent to a patching process. Because the upgrade image is of the same version as the target host, with completing the upgrade operation the additional VIBs are added to the target host.
Stage multiple ESXi Host upgrades
For ESXi hosts in a cluster, the remediation process is sequential by default. With Update Manager you can select to run host remediation in parallel.
When you remediate a cluster of hosts sequentially and one of the hosts fails to enter maintenance mode, Update Manager reports an error, and the process stops and fails. The hosts in the cluster that are remediated stay at the updated level. The ones that are not remediated after the failed host remediation are not updated. If a host in a DRS enabled cluster runs a virtual machine on which Update Manager or vCenter Server are installed, DRS first attempts to migrate the virtual machine running vCenter Server or Update Manager to another host, so that the remediation succeeds. In case the virtual machine cannot be migrated to another host, the remediation fails for the host, but the process does not stop. Update Manager proceeds to remediate the next host in the cluster.
The host upgrade remediation of ESXi hosts in a cluster proceeds only if all hosts in the cluster can be upgraded.
Remediation of hosts in a cluster requires that you temporarily disable cluster features such as VMware DPM and HA admission control. You should also turn off FT if it is enabled on any of the virtual machines on a host, and disconnect the removable devices connected to the virtual machines on a host, so that they can be migrated with vMotion. Before you start a remediation process, you can generate a report that shows which cluster, host, or virtual machine has the cluster features enabled.
When you remediate a cluster of hosts in parallel, Update Manager remediates multiple hosts concurrently. During parallel remediation, if Update Manager encounters an error when remediating a host, it ignores the host and the remediation process continues for the other hosts in the cluster. Update Manager continuously evaluates the maximum number of hosts it can remediate concurrently without disrupting DRS settings. You can limit the number of concurrently remediated hosts to a specific number.
Update Manager remediates hosts that are part of a vSAN cluster sequentially even if you select the option to remediate them in parallel. The reason is that by design only one host from a vSANcluster can be in a maintenance mode at any time.
For multiple clusters under a datacenter, the remediation processes run in parallel. If the remediation process fails for one of the clusters within a datacenter, the remaining clusters are still remediated.
Align appropriate Baselines with target inventory objects
Update Manager baselines are hosts baselines, virtual machine baselines, and virtual appliance baselines. To upgrade objects in your vSphere inventory, you can use predefines baselines, system-managed baselines, or custom baselines that you create.
When you scan hosts, virtual machines, and virtual appliances, you evaluate them against baselines and baseline groups to determine their level of compliance.
In the vSphere Web Client, the baselines and baseline groups are displayed on the Host Baselines and VMs/VAs Baselines tabs of the Update Manager Admin view.
Depending on the purpose for which you want to use them, host baselines can contain a collection of one or more patches, extensions, or upgrades. Therefore host baselines are upgrade, extension, or patch baselines. To update or upgrade your hosts you can use the Update Manager default baselines, or custom baselines that you create.
The VMs/VAs baselines are predefined. You cannot create custom VMs/VAs baselines.
The default baselines are the predefined and system managed baselines.
he Update Manager displays system managed baselines that are generated by vSAN. These baselines appear by default when you use vSAN clusters with ESXi hosts of version 6.0 Update 2 and later in your vSphere inventory. If your vSphere environment does not contain any vSAN clusters, no system managed baselines are created.
The system managed baselines automatically update their content periodically, which requires Update Manager to have constant access to the Internet. The vSAN system baselines are typically refreshed every 24 hours.
You can use the system managed baselines to upgrade your vSAN clusters to recommended critical patches, drivers, updates or latest supported ESXi host version for vSAN.
Predefined baselines cannot be edited or deleted, you can only attach or detach them to the respective inventory objects.
Under the Host Baselines tab in Update Manager Admin view, you can see the following predefined baselines:
Critical Host Patches (Predefined)
Checks ESXi hosts for compliance with all critical patches.
Non-Critical Host Patches (Predefined)
Checks ESXi hosts for compliance with all optional patches.
Under the VMs/VAs Baselines tab Update Manager Admin view, you can see the following predefined baselines:
VMware Tools Upgrade to Match Host (Predefined)
Checks virtual machines for compliance with the latest VMware Tools version on the host. Update Manager supports upgrading of VMware Tools for virtual machines on hosts that are running ESXi5.5.x and later.
VM Hardware Upgrade to Match Host (Predefined)
Checks the virtual hardware of a virtual machine for compliance with the latest version supported by the host. Update Manager supports upgrading to virtual hardware version vmx-13 on hosts that are running ESXi 6.5 .
VA Upgrade to Latest (Predefined)
Checks virtual appliance compliance with the latest released virtual appliance version.