vmware vcenter server update manager

VMware vCenter Server Update Manager

Product Support Engineering

VMware Confidential

VI4 - Mod 2-10 - Slide 2

Module 2 Lessons

Lesson 1 – vCenter Server High Availability

Lesson 2 – vCenter Server Distributed Resource Scheduler

Lesson 3 – Fault Tolerance Virtual Machines

Lesson 4 – Enhanced vMotion Compatibility

Lesson 5 – DPM - IPMI

Lesson 6 – vApps

Lesson 7 – Host Profiles

Lesson 8 – Reliability, Availability, Serviceability ( RAS )

Lesson 9 – Web Access

Lesson 10 – vCenter Server Update Manager

Lesson 11 – Guided Consolidation

Lesson 12 – Health Status


vCenter Update Manager Overview

VMware vCenter Update Manager compares the operating systems and applications running in your VMware Infrastructure deployment against a set of standard updates and patches.

Updates you specify can be applied to operating systems, as well as applications on scanned ESX/ESXi hosts, virtual machines, and virtual appliances.

vCenter Update Manager works with ESX/ESXi hosts, virtual machines, and virtual appliances.

vCenter Update Manager lets you scan for compliance and apply updates for guests, virtual appliances, and hosts.

vCenter Update Manager can scan and remediate powered on, suspended, and powered off virtual machines and templates and Scan and Remediate hosts.

If the updating or patching fails, you can revert the virtual machines and templates back to their prior condition, without losing data.


vCenter Update Manager Overview

You can use vCenter Update Manager to install, patch and update third party software using VI bundles and bulletins

available on VMware Patch Portal and third parties’ portals.

A VI bundle is a package, the smallest installable unit on an ESX host, while a bulletin defines a specific fix for an ESX 4 host, a roll-up which aggregates previous fixes, or an update release.

When a host is compliant with all bundles in a bulletin, it is

compliant with the vSphere bulletin that contains the bundles.


VMware vCenter Update Manager Sizing Estimator


vCenter Update Manager Supported Databases

vCenter Update Manager is supported on the following Databases :


Enabling Update Manager on a vSphere ClientTo enable vCenter Update Manager on a vSphere Client

Connect the vSphere Client to a vCenter Server on which vCenter Update Manager is installed.

Choose Plugins > Manage Plugins.


Enabling Update Manager on a vSphere Client

Complete the vCenter Update Manager client installation and click Finish

Click Next on Welcome screen

Accept the License Agreement and Click Next

Click Install

Click Finish


Enabling Update Manager on a vSphere vSphere Client

Right-click VMware vCenter Update Manager Extension in the Installed Extensions list on the Extension Manager page, and choose Enable. Click Close.


Enabling Update Manager on a vSphere Client

Dismiss any Security Warning dialog boxes that appear by clicking Yes or Ignore, and then click OK.The vCenter Update Manager button might not appear immediately in the vSphere Client. After installing the VMware vCenter Update Manager plug-in, if the button does not appear, restart the vSphere Client.


Upgrading vCenter Update Manager

vCenter Update Manager upgrades are available from vCenter Update Manager 1.0 to vCenter Update Manager 2.0

Before you upgrade vCenter Update Manager, be sure to upgrade both vCenter Server and vSphere Client to a compatible version.

vCenter Update Manager server and vCenter Update Manager client must be the same version.


vCenter Update Manager Network Port RequirementsAfter you install vCenter Update Manager if the default settings are kept during the installation, the vCenter Update Manager Web server listens on 9084 TCP and the vCenter Update Manager SOAP server listens on 8084 TCP.

Both are accessed througha reverse proxy that listens on the standard ports 80 and 443.


vCenter Update Manager Network Port Requirements

When vCenter Update Manager and the vCenter Server are installed on the same machine:

All incoming connections to vCenter Update Manager are accessed through a reverse proxy provided by the vCenter Server.

ESX connects to port 80, and the vCenter Server forwards the request to the vCenter Update Manager Web server listening on port 9084 for host patch downloads.

The vCenter Server directly connects to vCenter Update Manager on port 8084 because they are on the same machine.

vCenter Update Manager connects to ESX on port 902 for pushing the virtual machines patches.


vCenter Update Manager Network Port Requirements

When vCenter Update Manager and the vCenter Server are installed on two different machines:

vCenter Update Manager has a reverse proxy listening on ports 80 and 443 if the default is not changed during the installation.

The vCenter Server connects to vCenter Update Manager through port 443. The reverse proxy forwards the request to 8084.

ESX connects to vCenter Update Manager through port 80. The reverse proxy forwards the request to 9084.

vCenter Update Manager connects to ESX on port 902 for pushing the virtual machines patches.

To obtain metadata for the patches, vCenter Update Manager must be able to connect to http://www.vmware.com and http://xml.shavlik.com, and requires outbound ports 80 and 443.


Responding to Failure to put ESX Host in Maintenance Mode

To configure how vCenter Update Manager responds to failures to enter maintenance mode

Choose Home > Solutions and Applications > vCenter Update Manager.

Click the Configuration tab.

Under Settings, click ESX HostSettings.

Select the Failure response drop-down menu to determine how vCenter Update Manager respondsif an ESX host cannot be put in maintenance mode.

Choose Retry delay and Number of retries.

Click Apply.


Checking for Updates

vCenter Update Manager is designed to check for new updates at regular intervals.

Gathering current information about updates that are applicable to your environment allows vCenter Update Manager to work as expected.

Updates are downloaded according to a single schedule.


Checking for UpdatesTo modify checking for updates



Under Settings, click Update Downloads.

Click the Edit Update Downloads link in the upper-right corner


Checking for Updates

Select the type of updates to be downloaded, and click Next.

Specify a task name and description.

Specify the Frequency and Start Time of the update download, and click Next.

(Optional) Specify email addresses

Review the Summary page and click Finish


Configuring vCenter Update Manager with an Internet Proxy

You can modify vCenter Update Manager configuration settings to work with a proxy server.

To modify the proxy configuration through the vCenter Update Manager plug-in



Click General

Edit the default proxy information.If the proxy requires authentication,select the Proxy requires authentication check box and provide user name and password.

(Optional) Test the connection.

Click Apply.


Configuring Update Manager Network Port Settings

After you install vCenter Update Manager, you can configure its port settings to avoid conflicts with other programs installed on the same machine.

If vCenter Server is installed on the same machine, you cannot change the HTTP and HTTPS ports.

vCenter Update Manager doesn't open these ports, but vCenter Server does.

If vCenter Server is not installed on the same machine, vCenter Update Manager starts its own reverse proxy.

In this case, you are able to change both the HTTP and HTTPS ports.


Configuring Update Manager Network Port SettingsTo change the port settings



Click General

Edit the Port Settings

Click Apply.


Configuring vCenter Update Manager Patch

Download LocationWhen you install vCenter Update Manager, the installation wizard allows you to change the location for downloading patches.

To change the location later without reinstalling vCenter Update Manager, you must manually edit the vci-integrity.xml file.

To configure the vCenter Update Manager patch download location

Log in to the vCenter Update Manager server as an administrator.

Stop the vCenter Update Manager service

Navigate to the vCenter Update Manager installation directory and locate vci-integrity.xml. The default location is C:\Program Files\VMware\Infrastructure\vCenter Update Manager


Configuring vCenter Update Manager Patch

Download LocationCreate a backup copy of this file in case you need to revert to the previous configuration.

Edit the file by changing the following fields: <patchStore>yournewlocation</patchStore> The default patch download location is: C:\Documents and Settings\All Users\Application Data\VMware\VMware vCenter Update Manager\ Data\The directory path must end with \.

Save the file in UTF-8 format, replacing the existing file.

Copy the contents from the old patchstore directory to the new folder.

Restart the vCenter Update Manager service.

Note : You will have to create the directory structure that you specified for <yournewlocation>


Using the vCenter Update Manager Download Service

Use the vCenter Update Manager Download Service to initiate downloads of updates and to transfer the updates to vCenter Update Manager.

Establish a depot in which to place the updates.

After the updates are in the depot, export the newly downloaded updates to some portable storage device such as a CD or USB key and import them to the vCenter Update Manager server.

If vCenter Update Manager is installed on a machine that is not connected to the Internet, the scheduled update checks fail.

In such a case, disable the scheduled update checks and use the vCenter Update Manager Download Service as the only means to download and transfer updates to vCenter Update Manager.


Setting up the vCenter Update Manager Download Service

Log in to the machine where UMDS is installed, and open a terminal window.

Change to the directory where Download Service is installed. C:\Program Files\VMware\Infrastructure\vCenter Update Manager.

Specify the updates to download: To set up a download of all ESX host updates, enter the following command:

vmware-umds --set-config -enable-host 1 --enable-win 0 --enable-lin 0 To set up a download of all Windows updates, enter the following command:

vmware-umds --set-config -enable-host 0 --enable-win 1 --enable-lin 0 To set up a download of all Linux updates, enter the following command:

vmware-umds --set-config -enable-host 0 --enable-win 0 --enable-lin 1 To set up a download of all available updates, enter the following command:

vmware-umds --set-config -enable-host 1 --enable-win 1 --enable-lin 1

4 Run the program to download updates by entering the following command:vmware-umds --download

If you want to download the updates released in May 2008, enter the following command:vmware-umds --re-download -start-time 2008-05-01T00:00:00 --end-time 2008-05-31T23:59:59



Exporting Downloaded Updates

You can export the updates you downloaded to a specific location which serves as a shared repository for Update Manager.

Then configure Update Manager to use the shared repository as a patch download source.

The shared repository can also be hosted on a Web server.



To export downloaded updates

Log in to the machine where vCenter Update Manager Download Service is installed and open a terminal window.

Change to the directory where Download Service is installed.The default folder is C:\Program Files\VMware\Infrastructure\vCenter Update Manager.

Specify the export parameters.If you want to export all updates for the year 2007, enter the following command:vmware-umds --export --dest <repository_path> --start-time 2007-01- 01T00:00:00 --end-time 2007-12-31T23:59:59Here, <repository_path> is the full path to your export directory


Creating Baselines

You can create upgrade and patch baselines to meet the needs of your specific deployment by using the New Baseline wizard.

Creating additional, customized baselines allows patches to be grouped into logical sets.


Create a Dynamic Host Patch Baseline

Customize the baseline by entering criteria to filter the list of available patches: Text contains – Enter text to restrict

the updates displayed. Product – Select operating systems

or products for which this baseline includes patches.

Severity – Select the severity of updates to be included in this baseline.

Language – Select which language versions of patches to include.

Released Date – Provide Before and After dates to specify a range for the release dates of the updates.

Update Vendor – Select one of the listed update vendors.

Add or remove specific updates to/from this baseline – Select the check box to add or remove specific updates.


Create a Fixed Host Patch Baseline

Review the Ready to Complete page and click Finish


Creating Baselines – Host Upgrade

Click Upgrade to available version or Upload upgrade file . Click Next.



If you are upgrading to ESX 4.0:Specify the location of the service console VMDK or choose to automatically select a location.



Specify the rollback behavior for the upgrade.By default, the host will roll back in the event of an upgrade failure. Deselect the roll back check box to change this behavior.


Creating Baselines – Upgrade FileCreate a Host Upgrade Baseline Using an Upgrade File

You can create an ESX host upgrade baseline by using the New Baseline wizard. This procedure describes how to create a baseline with a specific upgrade file you upload.

To create a host upgrade baseline using an upgrade file


Click the Baselines and Groups tab.

Click the Create link in the upper-right corner of the page.The New Baseline wizard appears.

Provide a name and description for the baseline.


Creating Baselines – Upgrade File

Under Baseline Type, select Host Upgrade and click Next.

Select Upload Upgrade File, and click Next.

Click Browse to locate an upgrade file (.iso) from your local file system, and click Upload.The file might take several minutes to upload. After the file is uploaded successfully, it will be included in the list of available updates on the Upgrade Options page of the wizard.

Click Next.

Review the Ready to Complete page and click Finish.


Creating Baselines – Dynamic Virtual Machine

Customize the baseline by entering criteria to filter the list of available patches: Text contains – Enter text to

restrict the updates displayed. Product – Select operating

systems or products for which this baseline includes patches.

Severity – Select the severity of updates to be included in this baseline.

Language – Select which language versions of patches to include.

Released Date – Provide a range for the release dates of the updates.

Update Vendor – Select one of the listed update vendors.

Add or remove specific updates to/from this baseline

VI4 - Mod 2-10 - Slide101

Creating Baselines – Virtual Appliances

Create a Virtual Appliance Upgrade Baseline

You can create a virtual appliance upgrade baseline using the New Baseline wizard.

The virtual appliance upgrade baselines consist of a set of user-defined rules.

You can add many non-conflicting rules to a virtual appliance at once.

If the rules you create are in conflict, the vCenter Update Manager displays an Upgrade Rule Conflict window, which allows you to resolve the conflicts.


Creating Baselines – Virtual Appliances

Select Vendor, Virtual Appliance, and Upgrade To options from the drop-down menus, and click Add Rule.

(Optional) To add multiple rules, click Add Multiple Rules: a Select one or more vendors.

b Select one or more appliances.

c Select one Upgrade To option to apply to the selected appliances.

d Click OK.

If you create multiple rules to apply to the same virtual appliance, only the first applicable rule in the list is applied.

Click Next.


Create Baseline Groups

A baseline group consists of a set of non-conflicting baselines. Baseline groups allow you to create logical sets of patches.

You can create additional baseline groups through the New Baseline wizard.

When you create a baseline group, keep the following guidelines in mind:

All patch baselines can be included in one baseline group.

Only one upgrade baseline can exist in a baseline group.

Multiple upgrade baselines cannot be included a baseline group.

Baseline groups are displayed in the Baseline Groups pane of the Baselines and Groups tab of the vCenter Update Manager plug-in.

VI4 - Mod 2-10 - Slide 111

Create Host Baseline Groups

Select the patch baselines you want to include in the baseline group.

(Optional) To create a new patch baseline, click the Create New Host Patch Baseline link at the bottom of the Upgrades page.

VI4 - Mod 2-10 - Slide 113

Create Host Baseline Groups

The Host Baseline Group appears in the Baselines Group list

VI4 - Mod 2-10 - Slide 117

Create VM and VA Baseline Groups

For each type of upgrade (virtual appliance, hardware, and tools), select one of the available upgrade baselines to include in the baseline group.

To create a new Virtual Appliance upgrade baseline, click the Create New VA Upgrade Baseline link at the bottom of the Upgrades page.


Create VM and VA Baseline Groups

The Virtual Machine / Virtual Appliance Baseline Group appears in the Baselines Group list


Edit an Existing Baseline Group

You can change the name and type of an existing baseline group, as well as add or remove the included upgrade and patch baselines of a baseline group.

To edit an existing baseline group

Connect the vSphere Client to a vCenter Server on which vCenter Update Manager is installed, and select Home > Solutions and Applications > vCenter Update Manager.

On the Baselines and Groups tab, select the type of baselines to edit.For example, to edit the upgrade baselines for ESX hosts, click the Hosts button and the Upgrade Baselines sub-tab.

Select an existing baseline group from the Baseline Groups pane and click the Edit link above the pane. The Edit Baseline Group wizard appears.

(Optional) Edit the name and group type of the baseline group and click Next.

(Optional) Change the included upgrade baseline (if any) and click Next.

(Optional) Change the included patch baselines (if any) and click Next.

Review the Ready to Complete page and click Finish.


Scanning VI ObjectsYou can configure vCenter Update Manager to scan virtual machines, virtual appliances and ESX hosts against baselines and baseline groups by scheduling or manually initiating scans to generate compliance information.

You can manually initiate a scan of objects in the vSphere Client inventory.


Scanning VI Objects - Manually

Select the types of updates that the selected object and its child objects will be scanned for.The options are: Patches, Upgrades, and DVS Upgrades.

Click Scan.


Scanning VI Objects - ScheduledYou can configure the vSphere Client to run scans of objects in the inventory at specific times or intervals.

To schedule a scan

Choose Home > Management > Scheduled Tasks.

Click New in the toolbar to open the Select a Task to Schedule dialog box.

Select Scan for Updates, and click OK.


Reviewing Scan Results for Inventory Objects

To review scan results for inventory objects

Select Home > Inventory > object type (for example, Hosts and Clusters or VMs and Templates).

Select the object whose scan results you want to view.

Click the vCenter Update Manager tab.


Reviewing Scan Results for Inventory Objects

The results for scans completed on the object you select appear on the vCenter Update Manager tab.

The tab is divided in four panes: Baseline Groups – Displays a list of the baseline groups attached to the selected

object. Baselines – Displays a list of the baselines attached to the selected object or

included in a selected baseline group. Compliance – Contains a compliance graph that changes dynamically depending

on the inventory object you select.Below the graph is a list of the following items: All Applicable – Represents the total number of virtual machines or hosts for which

compliance is being calculated. Non-Compliant – Number of virtual machines or hosts that are not compliant with the

selected set of baselines and baseline groups. Unknown – Number of the virtual machines or hosts that are not scanned and their state

is unknown. Compliant – Number of compliant virtual machines or hosts.

Virtual Machines/Hosts – Depending on the objects you select, this pane contains different tables.


Staging Patches for ESX Hosts

Staging patches for ESX hosts allows you to download the patches from a remote server to a local server, without applying the patches immediately.

To stage patches for remediation

Choose Home > Inventory > Hosts and Clusters.

Right-click a Datacenter or an ESX host, and select Stage Update.

Select the patch baselines and baseline groups to stage.



Deselect the patches to exclude.

To view a short summary of the patch, such as title, vendor, product, details URL, vendor assigned ID, release date, and so on, double-click a patch.



Select when to stage the selected hosts, and click Next.

Review the Ready to Complete page, and click Finish.


Remediating VI Objects

You can remediate machines and virtual appliances either through user-initiated remediation or through regularly scheduled remediation.

For the ESX hosts in a cluster, the remediation process is sequential.

When you remediate a cluster of ESX hosts and one of the hosts fails to enter maintenance mode, the vCenter Update Manager reports an error and the process fails.

The remaining ESX hosts in the same cluster that did get remediated stay at the updated level.

The ones that were to be remediated after this host are not updated.

For multiple clusters under a datacenter, the remediation processes are parallel.

If the remediation process fails for one of the clusters within a datacenter, the remaining clusters are still remediated.


Remediating Templates

Templates are a type of virtual machine, so they can be remediated.

VMware recommends taking snapshots of templates before remediation, especially if the templates are sealed.

A template that is sealed is stopped before operating system installation is completed, and special registry keys are used so that virtual machines created from this template start in setup mode.

If errors occur, a template might not be returned to its sealed state.

If vCenter Update Manager loses its connection with the vCenter Server during remediation, the template cannot be returned to its sealed state.

Creating a snapshot before remediation provides for easy recovery from such issues.


Working with Updates

To manage the available patches, use the Update Repository tab. The Update Repository tab allows you to see the new patches that are downloaded, as well as the baselines, if any, that a given update belongs to.

You can see a table of all available patches.

To review the Update Repository


Click the Update Repository tab.


Update Manager Troubleshooting

Gathering Log Files

To gather information about recent events on the vCenter Update Manager server for diagnostic purposes, use the Generate vCenter Update Manager log bundle functionality that the support script vum-support.wsf provided.

To generate a vCenter Update Manager log bundle

Log in to the vCenter Server on which vCenter Update Manager is installed.

Choose Start > All Programs > VMware > Generate vCenter Update Manager log bundle.Log files are generated as a ZIP package, which is stored on the current user’s desktop.



No Baseline Updates Available

Baselines are based on metadata that vCenter Update Manager downloads from the Shavlik and VMware Web sites.

Shavlik provides metadata for virtual machines and applications, while VMware provides metadata for ESX Server hosts.

A common reason having no updates available for baselines might be that vCenter Update Manager cannot contact the Shavlik servers.

The connection between vCenter Update Manager and the Web site includes several links, the failure of any of which might cause updates in baselines to be unavailable.

Some possible causes and solutions include: Web server proxy misconfiguration. Shavlik servers being unavailable. Check the Shavlik Web site

(http://xml.shavlik.com) to determine whether it is available. VMware update service being unavailable to provide information about

ESX Server updates. Poor network connectivity. Check whether other applications that use

networking are functioning as expected.


Update Manager TroubleshootingAll Updates in Compliance Reports Are Not Applicable

The results of a scan might be that all baselines are marked as Not Applicable.

Such a condition typically indicates an error in scanning.

Examine the server logs for Scan Tasks that are marked as Failed, or retry the scan operation.

If problems persist, collect logs and contact VMware support for further assistance.

The results of scans are normally composed of a mix of Installed, Missing, and Not Applicable results.

For example, it is normal for a baseline composed of Linux patches to be Not Applicable to a Windows machine.

Not Applicable entries are typically only a concern when this is the universal result or when it is the result for patches that you know should be applicable.



Remediated Updates Continue to Be Not Compliant

For Windows virtual machines, check the registry to make sure that the updates were not installed.

Search for the Microsoft Knowledge Base (KB) number that pertains to the update in question.

These numbers are in:

The virtual machine’s registry in: HKLM\Software\Microsoft\Updates\<KB_number>

The virtual machine’s file system in: C:\Windows\NTUninstall\<KB_number>

Common explanations for this problem include:

Insufficient disk space for Service Pack installation. Retry remediation after freeing up disk space.

Conflicts with running applications. Reboot the virtual machine and then retry the remediation operation.



Remediating Virtual Machines with All Update or All Critical Updates Fails

In some instances, remediating virtual machines with the All Updates or All Critical Updates default baselines fails.

This typically occurs in one of the following ways:

Remediation fails to complete - To resolve the issue, end the patch process from the Task Manager in the guest. vCenter Update Manager posts events to identify the start and completion of a patch installation, along with the error code.

Remediation fails for some patches – Patches might not be readily available.

Remediation is completed, but the baseline is still not compliant – This condition might occur when applying patches that subsequently make other patches applicable.



ESX Server Scanning Fails

ESX Server scanning typically fails as a result of insufficient permissions or problems with SSL configuration.

Check to make sure that the account being used to do the scanning has sufficient permissions and that your SSL connections are properly configured.

Check vCenter Update Manager network port settings.



Events

vCenter Update Manager produces events that help you monitor the processes that the system is completing.

Check the VMware vCenter Update Manager Administration Guide for a list of these events


Lesson 2-10 Summary

Understand vCenter Update Manager

Creating Baselines and Baseline Groups

Scanning Host and Virtual Machines

Remediating Hosts and Virtual Machines

Understand the vCenter Update Manager Download Service

Learn how to troubleshoot vCenter Update Manager


Lesson 2-10 – OPTIONAL Lab 10

OPTIONAL LAB

Creating Baselines and Baseline Groups

Scanning Hosts and Virtual Machines

Remediating Hosts and Virtual Machines

Using the vCenter Update Manager Download Service

Troubleshooting vCenter Update Manager

vmware vcenter server update manager

Documents

update release

virtual appliances

diversity of systems

esx host

security best practicesto

security risks

host profileslesson

patching standards