How to use the ESXi Patch Tracker to update ESXi


About a year ago I started my VMware ESXi Patch Tracker service. This is a set of automatically generated web pages that show informations about all available ESXi patches. Its primary purpose is to give you an easy way to track the patch history and get alerted about new patches once they are released. You can subscribe to it by RSS feed, E-mail and Twitter.

Recently I have added new functionality to the Patch Tracker that enables you to update your ESXi hosts in a very convenient way. Here is how:

The first thing that you need to do is enabling remote Tech Support Mode (better known as ssh shell access) for your ESXi host. KB1017910 explains various ways to do this. Beginners will likely just use the vSphere Client GUI. There is also a video on the VMwareKB Youtube channel available that explains it: In the Host Configuration tab click on the Security Profile link under Software on the left, then click on the Services / Properties link in the upper right corner. This will open a dialog where you can start and stop ESXi services. In the list find the service labeled SSH and click on the Options button. In the Options dialog press the Start button o start the service and close the dialog with OK.


Then close the Service Properties dialog by clicking on OK again. Now you are able to connect to your ESXi host with an ssh client, e.g. the Windows program putty.

Use it to log in to your host as the root user.

Next open the VMware ESXi Patch Tracker in a web browser. Navigate to the ESXi version that you want to upgrade to, e.g. 6.0. The page is sorted chronologically, and you will always find the latest patch at the top. At the time of this writing that is Update 1b. When you now click on the Imageprofile name (ESXi-6.0.0-20160104001-standard in this case) a window will pop up that includes some esxcli commands:


Now just do what's written there. Select all the displayed text (in Windows you can use the Ctrl-A keyboard shortcut for that) and copy it to the clipboard (Ctrl-C in Windows), Now select the putty window with your ESXi shell session and click on it with the right mouse button to paste and execute the commands:


The first command will open the ESXi firewall for outgoing http/https requests, the second command will pull the Imageprofile information and associated software packages (VIB files) from the VMware Online Depot and update your system with them. The third command will undo the first command (just to revert to the system defaults.

All you need to do now is to reboot your host by manually entering the reboot command. Before that make sure that there are no running VMs on the host, or they will be forcefully powered off.

Please note that this method will only work when your ESXi host has a direct outbound Internet connection to download packages from the VMware Online Depot. Otherwise you need to download the Offline bundle patch from MyVMware and use that to update your host. The ESXi Patch Tracker Help page has more information about that.



This post first appeared on the VMware Front Experience Blog and was written by Andreas Peetz. Follow him on Twitter to keep up to date with what he posts.



12 comments:

  1. Cool! The patch tracker page does big help!

    ReplyDelete
  2. So awesome. Thank you very much for the time and effort you put in to this!

    ReplyDelete
  3. Question. Isn't it needed/advisable to switch to maintenance mode before installing this updates ?

    ReplyDelete
    Replies
    1. Hi Jayce,

      that is advisable when the host is managed by vCenter and part of a DRS-enabled cluster. Switching to maintenance mode will then evacuate the host by moving all running VMs to other hosts in the cluster.

      A standalone host will not be able to successfully enter maintenance mode until you *manually* power off (or suspend) all VMs. That means with standalone hosts entering maintenance mode is neither needed nor helpful.

      For standalone hosts you should rather look into the "VM Autostart/shutdown" feature of ESXi. This can automatically shut down VMs when ESXi goes down and power them on again when it comes up. Using the feature is not related and does not require maintenance mode.

      Andreas

      Delete
    2. Thank you very much !!!
      I was not sure maintenance mode was useful for standalone hosts but i wasn't able to find any detailed information of what maintenance mode was exactly doing.

      Now i have a detailed answer and i will ignore maintenance mode on all my standalone hosts... Thank you very much !!!

      Delete
  4. Is there any benefit of these articles for stateless booted ESXi hosts? I have not found much information on best methods to keep my ESXi 5.5 hosts updated.

    The best I've come up with is to just document how I customize my image profiles, and when a new release comes out, to start with that version then apply my documented VIB customizations.

    Example: use PowerCLI and connect to https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml, select the latest ESXi 5.5 patch release, which at the time of writing this comment is ESXi-5.5.0-20141204001-standard. Take a clone of this image profile, then apply VIB customizations.

    Its not entirely clear to me if ESXi-5.5.0-20141204001-standard includes ESXi 6.0 Express Patch 1, which is listed as the previous build release, as per https://kb.vmware.com/kb/1014508. VMWare Support was not exactly helpful. I'm assuming 20141204001 should include the previous patches, but can anyone help me confirm this via a KB article or something else?

    ReplyDelete
    Replies
    1. Your process for updating stateless/Autodeploy hosts is correct, but the current ESXi 5.5 patch bundle is ESXi-5.5.0-20160204001-standard.

      I'm not sure what you mean with referring ESXi 6.0 EP 1. An ESXi 6.0 patch cannot be included in ESXi 5.5 (and vice versa).

      However, ESXi (5.x/6.x) patch bundles are cumulative inside the same version. So the latest ESXi 5.5 Imageprofile includes all patches that were released before with earlier ESXi 5.5 Imageprofiles. For a more detailed explanation see my blog post Are ESXi 5.x/6.x patches cumulative?.

      Delete
    2. Woops, I completely made a typo error, apologies! Not sure why I wrote anything about ESXi 6, when I was ranting about 5.5...

      What I meant to write is that I can't tell if the latest 5.5.0 Express Patch 10 also includes Express Patch 9. If I use the vmware depot and consult your matrix, it looks like each of these patches updates the esx-base VIB. It should make sense that if both update esx-base, then the later Express Patch 10 should include Express Patch 9, right?

      To make matters more confusing, I asked VMWare Support the same question, but their answer makes me think the representative didn't know what they were talking about, and I quote: "Express patches released post major update needs to be installed separately." - which makes zero sense to me if I were to use the PowerCLI method I outlined above.

      The link you posted above does clear it up, and helps me confirm my suspicions. The keywords are "patch bundles" which makes total sense now.

      Thank you sir!

      Delete
  5. I run the following to always get the latest available imageprofile:
    LATESTVER=`esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml |grep "ESXi-6.....[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9].standard" |sort | tail -1 | awk '{ print $1}'`
    echo $LATESTVER
    esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p $LATESTVER

    ReplyDelete

***** All comments will be moderated! *****
- Please post only comments or questions that are related to this post's contents!
- Advertising and link spamming will not be tolerated!