Patch Management. Module VMware Inc. All rights reserved

Patch Management

Module 13

Course Introduction Introduction to Virtualization

Creating Virtual Machines VMware vCenter Server

Configuring and Managing Virtual Networks Configuring and Managing vSphere Storage

Virtual Machine Management

Data Protection

Access and Authentication Control Resource Management and Monitoring

High Availability and Fault Tolerance Host Scalability

Patch Management

Installing VMware vSphere Components

You Are Here

Over time, your VMware vSphere® environment might undergo change in its hardware or software configuration, or in the form of software updates or patches.

From a manageability and scalability perspective, you should implement changes to your vSphere environment in an orderly, controlled, and systematic fashion.

Importance

After this module, you should be able to do the following:



Describe VMware vSphere® Update Manager™.



List the steps to install Update Manager.



Use Update Manager:

•

Create and attach a baseline.

•

Scan an inventory object.

•

Remediate an inventory object.

Learner Objectives

Update Manager enables centralized, automated patch and version management for VMware vSphere® ESXi™ hosts, virtual machine hardware, VMware® Tools™, and virtual appliances.

Update Manager reduces security risks:



Reduces the number of vulnerabilities.



Eliminates many security breaches that exploit older vulnerabilities.

Update Manager reduces the diversity of systems in an environment:



Makes management easier



Reduces security risks

Update Manager keeps machines running more smoothly:



Patches include bug fixes



Makes troubleshooting easier

Update Manager

Enables cross-platform upgrade from VMware® ESX® to ESXi®

Automated patch downloading:



Begins with information-only downloading



Is scheduled at regular configurable intervals



Contacts the following sources for patching ESXi hosts:

•

For VMware® patches: https://hostupdate.vmware.com

•

For third-party patches: URL of third-party source

Creation of baselines and baseline groups Scanning:



Inventory systems are scanned for baseline compliance.

Remediation:



Inventory systems that are not current can be automatically patched.

Reduces the number of reboots required after VMware Tools updates

Update Manager Capabilities

Update Manager Components

VMware vCenter Server™ system

Update Manager server

database server

vCenter Server database

patch database

VMware patch source hosts

optional download server VMware vSphere®

Client™ with Update Manager

plug-in Internet

patch database

third-party patch source

Update Manager must be installed on a Windows 64-bit machine.

To install, start the VMware vCenter Installer and click VMware vSphere Update Manager.

Information needed during the installation:



vCenter Server host name, user name, and password



Choice of database: use default or existing database



Update Manager port settings:

•

Host name, ports, proxy settings (if necessary)



Destination folder and location for downloading patches To install the Update Manager client:



Install the Update Manager Extension plug-in into the vSphere Client.

Installing Update Manager

Configuring Update Manager Settings

Modify Update Manager configuration

properties.

By default, all patch sources are enabled. Additional patch sources can be added

if necessary.

A baseline consists of one or more patches, extensions, or upgrades.

Five types of baselines:



Host patch



Host extension



Host upgrade



Virtual machine upgrade

for hardware or VMware Tools



Virtual appliance upgrade Update Manager includes a number of default baselines.

A baseline group consists of multiple baselines:



Can contain one upgrade baseline per type and one or more patch and extension baselines

Baseline and Baseline Groups

example of default baselines for hosts

To create a baseline:

1. Click Create.

2. Specify name and description.

3. Choose a baseline type.

4. For a patch baseline, select a patch option: Fixed or Dynamic.

5. Select patches to add to the baseline.

Creating a Baseline

A host patch is added to this

baseline.

To view compliance information and remediate inventory objects, first attach a baseline or baseline group to an object.

For improved efficiency, attach a baseline to a container object instead of to an individual object.

Attaching a Baseline

Scanning evaluates the inventory object against the baseline or baseline group.

A scan can be performed manually or automatically, using a scheduled task.

Scanning for Updates

Viewing Compliance

In this example, the scan found two noncompliant

hosts.

After the scan, patches and updates can be staged first and then remediated at a later time.

You can remediate virtual machines, templates, virtual appliances, and hosts.

You can perform the remediation immediately or schedule it for a later date.

Remediating Objects

Maintenance Mode and Remediation

Power off or suspend virtual machines

Option for PXE-booted

ESXi 5.0

Remediation Options for a Cluster

When remediating hosts in a cluster, you must temporarily disable certain cluster features:

VMware vSphere® Distributed Power Management™, VMware vSphere® High Availability, and VMware vSphere® Fault Tolerance.

You can generate a report that identifies problems before remediation

occurs.

At regular intervals, Update Manager contacts VMware to download notifications about patch recalls, new fixes, and alerts.



Notification Check Schedule is selected by default.

On receiving patch recall notifications, Update Manager:



Generates a notification in the notification tab



No longer applies the recalled patch to any host:

•

Patch is flagged as recalled in the database.



Deletes the patch binaries from its patch repository



Does not uninstall recalled patches from ESXi hosts:

•

Instead, it waits for a newer patch and applies that to make a host compliant.

Patch Recall Notification

Eliminate downtime for virtual machines when patching ESXi hosts:

1. Update Manager puts host in maintenance mode.

2. VMware vSphere® Distributed Resource Scheduler™ moves virtual machines to available host.

3. Update Manager patches host and then exits maintenance mode.

4. DRS moves virtual machines back per rule.

Remediation Enabled for DRS

maintenance mode UM + DRS

!

In this lab, you will install, configure, and use Update Manager.

1. Install Update Manager.

2. Install the Update Manager plug-in into the vSphere Client.

3. Modify cluster settings.

4. Configure Update Manager.

5. Create a patch baseline.

6. Attach a baseline and scan for updates.

7. Stage the patches onto the ESXi hosts.

8. Remediate the ESXi hosts.

Lab 23

You should be able to do the following:



Describe Update Manager.



List the steps to install Update Manager.



Use Update Manager:

•

Create and attach a baseline.

•

Scan an inventory object.

•

Remediate an inventory object.

Review of Learner Objectives



Update Manager patches and updates ESXi 5.1 hosts as well earlier versions of hosts, virtual machines, templates, and virtual appliances.



Update Manager reduces security vulnerabilities by keeping systems up to date and by reducing the diversity of systems in an environment.



Update Manager no longer patches guest operating systems or the applications running within guest operating systems.

Questions?

Key Points