© 2010 vmware inc. all rights reserved patch management module 13

© 2010 VMware Inc. All rights reserved

Patch Management

Module 13

Module 13-2


You Are Here

OperationsvSphere Environment

Introduction to VMware Virtualization

VMware ESX and ESXi

VMware vCenter Server

Networking

Storage

Virtual Machines

Access Control

Resource Monitoring

Data Protection

Scalability

Installing VMware ESX and ESXi

High Availability

Patch Management

VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 13-3


Importance

Over time, your VMware vSphere™ environment might undergo change in its hardware or software configuration, or in the form of software updates or patches. From a manageability and scalability perspective, you should implement changes to your vSphere environment in an orderly, controlled, and systematic fashion.


Module 13-4


Module Objectives

Describe VMware vCenter™ Update Manager

List the steps to install Update Manager

Use Update Manager:

• Create and attach a baseline

• Scan an inventory object

• Remediate an inventory object


Module 13-5


Update Manager

Update Manager enables centralized, automated patch and version management for VMware® ESX™/ESXi hosts, virtual machines, and virtual appliances.

Update Manager reduces security risks.

Keeping systems up to date reduces the number of vulnerabilities.

Many security breaches exploit older vulnerabilities.

Reducing the diversity of systems in an environment:

• Makes management easier

• Reduces security risks


Module 13-6


Update Manager Capabilities

Automated patch downloading:

Begins with information-only downloading

Is scheduled at regular configurable intervals

Contacts the following sources:

• For ESX/ESXi patching: https://hostupdate.vmware.com

• For Windows and Linux virtual machines and applications: https://www.shavlik.com

• For third-party patches: URL of third-party source

Creation of baselines and baseline groups

Scanning:

Inventory systems are scanned for baseline compliance.

Remediation:

Inventory systems that are not current can be automatically patched.


Module 13-7


Update Manager Components


Shavlik patch source

vCenterServer system

Update Manager server

databaseserver

vCenter Serverdatabase

patchdatabase

VMware patch source

Update Manager agents are

installed into virtual machines.

hosts

optional download server

VMware vSphere Client with

Update Manager plug-in

Internet

patchdatabase

AA

A

AA

A

AA

A

third-party patch source

Module 13-8


Installing Update Manager

Update Manager must be installed on a 64-bit machine.

To install, start the VMware vCenter Installer and click vCenter Update Manager.

Information needed during the installation:

vCenter Server host name, user name, and password

Choice of database: use default or existing database

Update Manager port settings:• Host name, ports, proxy settings (if necessary)

Destination folder and location for downloading patches

To install the Update Manager client:

Install the Update Manager Extension plug-in into the vSphere Client.


Module 13-9


Configuring Update Manager Settings


Modify Update

Manager configuration properties.

By default, all patch sources are enabled. Add third-party patch sources if necessary.

Module 13-10


Baseline and Baseline Groups


A baseline consists of one or more patches, extensions, or upgrades.

There are five types of baselines:

Host patch

Host extension

Host upgrade

Virtual machine patch

Virtual appliance upgrade

Update Manager includes a number of default baselines.

A baseline group consists of multiple baselines:

Can contain one upgrade baseline per type and one or more patch and extension baselines

example of default baselines for hosts

Module 13-11


Creating a Baseline


To create a baseline:

1. Click Create.

2. Specify name and description.

3. Choose a baseline type.

4. For a patch baseline, select a patch option: Fixed or Dynamic.

5. Select patches to add to the baseline.

A host patch is added to this

baseline.

Module 13-12


Attaching a Baseline


To view compliance information and remediate inventory objects, first attach a baseline or baseline group to an object.

For improved efficiency, attach a baseline to a container object instead of to an individual object.

Module 13-13


Scanning for Updates

Scanning evaluates the inventory object against the baseline or baseline group.

A scan can be performed manually or automatically, using a scheduled task.


manual scan

scheduled scan

Module 13-14


Viewing Compliancy


In this example, the scan found

two noncompliant

hosts.

After the scan, a host object can be staged and then remediated.

Module 13-15


Remediating Objects

You can remediate virtual machines, templates, virtual appliances, and hosts.

You can perform the remediation immediately or schedule it for a later date.


Module 13-16


Remediation Options for a Cluster


When remediating hosts in a cluster, you must temporarily disable certain cluster features:

VMware DPM, VMware HA, FT.

You can generate a report that

identifies problems before remediation

occurs.

Module 13-17


Patch Recall Notification


At regular intervals, Update Manager contacts VMware to download notifications about patch recalls, new fixes, and alerts.

Notification Check Schedule is selected by default.

On receiving patch recall notifications, Update Manager:

Generates a notification in the notification tab

No longer applies the recalled patch to any host:

• Patch is flagged as recalled in the database.

Deletes the patch binaries from its patch repository

Does not uninstall recalled patches from ESX hosts:

• Instead, it waits for a newer patch and applies that to make a host compliant.

Module 13-18


Remediation Enabled for DRS

Eliminate downtime for virtual machines when patching ESX/ESXi hosts:

1. Update Manager puts host in maintenance mode.

2. DRS moves virtual machines to available host.

3. Update Manager patches host and then exits maintenance mode.

4. DRS moves virtual machines back per rule.


maintenance mode

UM + DRS

!

Module 13-19


Lab 27

In this lab, you will install, configure, and use Update Manager.

1. Install Update Manager.

2. Modify cluster settings.

3. Install and enable the Update Manager plug-in.

4. Configure Update Manager.

5. Create a patch baseline.

6. Attach a baseline and scan for updates.

7. Stage patches and remediate ESXi hosts.


Module 13-20


Module Summary

Describe Update Manager

List the steps to install Update Manager

Use Update Manager:

• Create and attach a baseline

• Scan an inventory object

• Remediate an inventory object


Module 13-21


Key Points

Update Manager patches and updates ESX/ESXi hosts, virtual machines, templates, and virtual appliances.

Update Manager reduces security vulnerabilities by keeping systems up to date and by reducing the diversity of systems in an environment.


© 2010 vmware inc. all rights reserved patch management module 13

Documents

vmware vsphere environment

vmware vcenter installer

vmware esxesxi hosts

rights reserved1you

rights reservedmodule

inventory systems

module title

servervmware vsphere