Keeping your VMware patches up to date is a critical aspect of maintaining your VMware vSphere environment. Luckily, VMware vSphere Update Manager makes this very simple to do for a number of your VMware vSphere components. Let’s take a closer look at how to patch ESXi host using Update Manager.
Before Patching ESXi
First things first, before patching ESXi, or any other vSphere component it is importaint to make sure that the version you are patching to is compatible with the rest of your VMware vSphere environment, and anything that touches it.
These are things like:
- VMware vCenter Server
- Storage Arrays
- Backup Software
If it touches your VMware vSphere environment, make sure to check the the VMware Compatibility Guide and Interoperability Matrix before you upgrade.
Accessing Update Manager
There are a number of different ways to access VMware vSphere Update Manager in vCenter. One of the easiest ways is to click Menu, then Update Manager in the vSphere Client. When I say vSphere Client, I am referring to the HTML5 based client.
Understanding VMware Patches
When it comes to VMware Patches, there are a couple of different types offered for ESXi. You can get a better understanding of them by simply taking a look at Update Manager, and the patches available in it:
There are patches and rollups available for ESXi. I prefer rollups, since they include all patches. You may elect to apply a specific patch if you are trying to solve a specific problem and have been instructed to do so by VMware support, or if the latest patch available does not include a rollup.
Creating Baselines for ESXi Patches
If you are already familiar with VMware vSphere Update Manager, a new baseline for patches is just like creating any other baseline.
If not, don’t worry, I will walk you through it. You may want to take a look at some of my other Update Manager guides like:
These have more examples of how to use VMware vSphere Update Manager.
Back to our baseline. Simply select New and Baselines under Baselines in Update Manager.
As I have mentioned previously, I prefer to use rollup patches when appropriate. The next step is to give your baseline a name that makes sense to you. My ESXi hosts have been neglected for some time, so I will be applying the most recent baseline patch.
Next, you will be asked about Automatic and Manual patch selection. I am going to skip the Automatic step and select my patches manually.
However, if you wish to use Automatic patch selection, there are a number of filters you can apply.
I am going to uncheck that box, and click next so I can manually select my patches.
In the Manual patch select screen, I searched for Rollup since I am looking to apply a Rollup patch.
Now, you may be wondering what these patches mean. The best thing to do when you are not sure is to simply Google the build number shown, or head on over to the VMware KB and enter it there.
You can take a good guess from the digits listed, as they are a date code. You can also elect to starting with the most recent date code patch and going from there.
I ended up selecting ESXi670-201906002 (click for release notes in VMware docs)since this is what made sense for my environment at the time. I believe I was still running ESXi 6.7 U1.
Finish clicking through the wizard to create your baseline. You are ready for your next step.
Attaching a Baseline to an ESXi Host or Cluster
Next is to attach your baseline to an object in vCenter. While you can attach your baseline to a number of different objects, I prefer to attach it at the cluster level.
The process is the same no matter what you are attaching a baseline too. Click the inventory item in vCenter, and navigate to the Updates tab which is the last tab on the right.
Then, you will be able to attach the baseline as shown here:
After you attach a baseline to a cluster or other vCenter inventory object, you have a three options: DETACH, STAGE, and REMEDIATE.
I like to stage my patches before I remediate. Staging patches simply downloads them to your ESXi hosts ahead of time so the active patching process is faster.
If you do not stage your patches first, your host will download the patches from update manager, then remediate, making the actual active patching process take longer.
Remediating the Patch Baseline or Applying VMware ESXi Patches
After your patches are staged (which you don’t have to do, of course), you are ready to REMEDIATE your baseline.
This is a fancy way of saying that Update Manager will make sure your ESXi hosts match the baseline. To do this, Update Manager will apply the patch.
Update Manager will roll through your vSphere cluster, entering a host into maintenance mode, rebooting it, and exiting maintenance mode. You can pretty much click REMEDIATE, let the Pre-Check run, and then get some coffee.
Follow the same process we followed for STAGE, but click remediate this time.
Understanding Pre-Check Remediation in Update Manager
I want to bring your attention to the pre-check remediation portion of the ESXi patching process.
Before Update Manager attempts to patch your environment, and do things like roll your hosts through maintenance mode, it needs to make sure everything is set up correctly.
If you don’t have DRS enabled, you will have problems since your vSphere cluster needs to balance the load across the remaining nodes.
Be sure to check out the Pre-Check Remediation Report on vSphere Docs to see what Update Manager looks for. The Pre-Check Remediation must be successful before you can remediate your patch baseline.
Verifying Your ESXi Patches
You can then check the build number of ESXi to verify it matches the build number of the patches you applied.
Another, much simpler way to do this is to simply check the compliance of your cluster in Update Manager.
The hosts compliance tells you they match the baseline you have attached to them.
Summary of Patching VMware ESXi
Patching ESXi is an important part of every organizations vSphere operations. It can be done quickly and easily with the aid of VMware vSphere Update Manger. The process consists of reading the baselines for your VMware patches, attaching your baseline to a vSphere object like an ESXi cluster, and optionally staging your patches before you remediate your ESXi hosts to meet their baseline.