VMware Update Manager
Keeping your infrastructure up-to-date is one of the crucial tasks of day to day operations of every system administrator. Path management and compliance checks of the environment is usually long run and unfortunately not every environment is patched periodically.
There are several major results of un-patched environment
- Missing security patches that might lead into compromising of the environment itself
- If no bug fixes are deployed, you might run into unpredicted situations
- Vendors like VMware might decline to provide support unless your infrastructure is patched to recommended level
Today I will talk about VMware Update Manager component of VMware vSphere that simplified those tasks related to vSphere environments.
In the past it was a bit complicated to setup VUM (VMware Update Manager). Until recent release of VMware vSphere 6.5 VUM needs to be installed on separate Windows based machine, even if you run Linux based vCenter Server Appliance. Fortunately, now VUM is a part of VCSA so you do not need to install additional virtual machine. For those who use Windows you still need to install VUM on separate Windows based virtual machine as it was before.
So, let’s have a look at the architecture of VUM and the workflow of patch management process.
First you have to define your baseline. Baseline is a set of patches and their versions that you can attach later on to different objects. You can attach baselines to cluster, individual ESXi hosts or even folders that hosts your virtual machines.
Baseline do not need to include only patches, but it can be also complete new images of ESXi servers to automatically update of the ESXi to newer versions or even new versions of supported virtual appliances. Yes, you can even upgrade your vRealize Operations environment using VUM.
Another important note regarding patches is, that you can also add other sources to the VUM. It could be your internal repository of custom VIB packages or vendor repository of new drivers (for example HPE offer such repository to ease deployment of hardware related patches).
Once the baseline is created, you will attach it to the object and after this step, you can scan your inventory.
What scan means? Well, it will scan your inventory against the baseline and you will receive report what components are installed and what is missing. The ultimate goal is to have your whole environment fully compliant against all your baselines.
Remediation and Staging
The next step would be to fix such situation and install all the updates.
You have possibility to stage patches before remediation. What stage will do is that all the patches will be downloaded to ESXi server before remediation. This is a great option especially in larger environments because it might take some time to distribute the patches. Staging is non-disruptive to the environment, so you can do that (depending on your change management process) anytime and you can save time later during the remediation itself.
The last step in the patch process is the actual remediation task. Remediation will actually install all the updates to the ESXi host (or upgrade VMware tools for VMs for example). This is definitely disruptive task in some way. What VUM will do is that it will perform a rolling reboot of all ESXi hosts in the cluster during the remediation process. On every single host following tasks will be done:
- Host is placed in maintenance mode (and all VMs are migrated using vMotion from the host either automatically if DRS is set to auto or manually if DRS is set to partial or manual)
- Patches that have not been staged are staged to the host
- Installation of the patches
- Reboot of the ESXi host
- Host is removed from maintenance mode
You have possibility to adjust a lot of configuration items here – like disabling Admission control, specifying how many hosts can be remediated simultaneously, what to do with powered-of VMs and many more so the process is really flexible to address any requirements of the environment.
Once all items will be remediated, automatically scan of the infrastructure will be done resulting in fully compliant environment.
So, as you can see using VUM you can easily maintain your vSphere environment up-to-date using integrated functionality of the vSphere suite itself. If you are currently not patching your environment I would strongly suggest started doing that because as said, with fully-patched environment you get desired stability.
If you are interested in more details about VUM, feel free to have a look at VMware Update Manager instalaltion and admin guide.