Anda di halaman 1dari 22

Patch Management

Module 13

2011 VMware Inc. All rights reserved

You Are Here

VMware vSphere: Install, Configure, Manage Revision A

13-2
2011 VMware Inc. All rights reserved

Importance
Over time, your VMware vSphere environment might undergo
change in its hardware or software configuration, or in the form of
software updates or patches. From a manageability and scalability
perspective, you should implement changes to your vSphere
environment in an orderly, controlled, and systematic fashion.

VMware vSphere: Install, Configure, Manage Revision A

13-3
2011 VMware Inc. All rights reserved

Learner Objectives
After this lesson, you should be able to do the following:
Describe VMware vCenter Update Manager.
List the steps to install Update Manager.
Use Update Manager:

Create and attach a baseline.


Scan an inventory object.
Remediate an inventory object.

VMware vSphere: Install, Configure, Manage Revision A

13-4
2011 VMware Inc. All rights reserved

Update Manager
Update Manager enables centralized, automated patch and version
management for VMware ESXi hosts, virtual machine hardware,
VMware Tools, and virtual appliances.
Update Manager reduces security risks:
Keeping systems up to date reduces the number of vulnerabilities.
Eliminating many security breaches that exploit older vulnerabilities.
Reducing the diversity of systems in an environment:

Makes management easier


Reduces security risks

VMware vSphere: Install, Configure, Manage Revision A

13-5
2011 VMware Inc. All rights reserved

Update Manager Capabilities


Enables cross-platform upgrade from VMware ESX to ESXi
Automated patch downloading:
Begins with information-only downloading
Is scheduled at regular configurable intervals
Contacts the following sources:

For ESXi patching: https://hostupdate.vmware.com


For third-party patches: URL of third-party source

Creation of baselines and baseline groups


Scanning:
Inventory systems are scanned for baseline compliance.
Remediation:
Inventory systems that are not current can be automatically patched.
Reduces the number of reboots required after VMware Tools updates
VMware vSphere: Install, Configure, Manage Revision A

13-6
2011 VMware Inc. All rights reserved

Update Manager Components


VMware vCenter
Server system

database
server

hosts
A

A
A

vCenter Server
database

optional
download
server
patch
database

Update Manager
server

patch
database

VMware vSphere
Client with
Update Manager
plug-in

Internet
VMware
patch source
third-party
patch source

VMware vSphere: Install, Configure, Manage Revision A

13-7
2011 VMware Inc. All rights reserved

Installing Update Manager


Update Manager must be installed on a 64-bit machine.
To install, start the VMware vCenter Installer and click VMware
vSphere Update Manager.
Information needed during the installation:
vCenter Server host name, user name, and password
Choice of database: use default or existing database
Update Manager port settings:

Host name, ports, proxy settings (if necessary)

Destination folder and location for downloading patches

To install the Update Manager client:


Install the Update Manager Extension plug-in into the vSphere Client.

VMware vSphere: Install, Configure, Manage Revision A

13-8
2011 VMware Inc. All rights reserved

Configuring Update Manager Settings


By default, all patch sources
are enabled. Additional
patch sources can be added
if necessary.

Modify
Update
Manager
configuration
properties.

VMware vSphere: Install, Configure, Manage Revision A

13-9
2011 VMware Inc. All rights reserved

Baseline and Baseline Groups


A baseline consists of one or more patches, extensions, or upgrades.
There are five types of
baselines:
Host patch
Host extension
Host upgrade
Virtual machine patch
Virtual appliance
upgrade

example of default baselines for hosts

Update Manager includes a


number of default baselines.
A baseline group consists of multiple baselines:
Can contain one upgrade baseline per type and
one or more patch and extension baselines

VMware vSphere: Install, Configure, Manage Revision A

13-10
2011 VMware Inc. All rights reserved

Creating a Baseline
To create a baseline:
1. Click Create.
2. Specify name and description.
3. Choose a baseline type.
4. For a patch baseline, select a patch option: Fixed or Dynamic.
5. Select patches to add to the baseline.

A host patch is
added to this
baseline.

VMware vSphere: Install, Configure, Manage Revision A

13-11
2011 VMware Inc. All rights reserved

Attaching a Baseline
To view compliance information and remediate inventory objects,
first attach a baseline or baseline group to an object.
For improved efficiency, attach a baseline to a container object
instead of to an individual object.

VMware vSphere: Install, Configure, Manage Revision A

13-12
2011 VMware Inc. All rights reserved

Scanning for Updates


Scanning evaluates the inventory object against the baseline or
baseline group.
A scan can be performed manually or automatically, using a
scheduled task.

VMware vSphere: Install, Configure, Manage Revision A

13-13
2011 VMware Inc. All rights reserved

Viewing Compliancy

In this example,
the scan found
two noncompliant
hosts.
After the scan, patches and
updates can be staged first and
then remediated at a later time.

VMware vSphere: Install, Configure, Manage Revision A

13-14
2011 VMware Inc. All rights reserved

Remediating Objects
You can remediate virtual machines, templates, virtual appliances,
and hosts.
You can perform the remediation immediately or schedule it for a
later date.

VMware vSphere: Install, Configure, Manage Revision A

13-15
2011 VMware Inc. All rights reserved

Maintenance Mode and Remediation

Power off or suspend


virtual machines
Option for
PXE booted
ESXi 5.0

VMware vSphere: Install, Configure, Manage Revision A

13-16
2011 VMware Inc. All rights reserved

Remediation Options for a Cluster


When remediating hosts in a cluster, you must
temporarily disable certain cluster features:
vSphere Distributed Power Management,
vSphere HA, FT.

You can generate a


report that
identifies problems
before remediation
occurs.

VMware vSphere: Install, Configure, Manage Revision A

13-17
2011 VMware Inc. All rights reserved

Patch Recall Notification


At regular intervals, Update Manager contacts VMware to download
notifications about patch recalls, new fixes, and alerts.
Notification Check Schedule is selected by default.
On receiving patch recall notifications, Update Manager:
Generates a notification in the notification tab
No longer applies the recalled patch to any host:

Patch is flagged as recalled in the database.

Deletes the patch binaries from its patch repository


Does not uninstall recalled patches from ESXi hosts:

Instead, it waits for a newer patch and applies that to make a host
compliant.

VMware vSphere: Install, Configure, Manage Revision A

13-18
2011 VMware Inc. All rights reserved

Remediation Enabled for DRS

Eliminate downtime for virtual


machines when patching ESXi
hosts:
1. Update Manager puts host in
maintenance mode.
2. vSphere Distributed Resource
Scheduler (DRS) moves virtual
machines to available host.
3. Update Manager patches host
and then exits maintenance
mode.
4. DRS moves virtual machines
back per rule.

VMware vSphere: Install, Configure, Manage Revision A

UM + DRS

!
maintenance mode

13-19
2011 VMware Inc. All rights reserved

Lab 20
In this lab, you will install, configure, and use Update Manager.
1. Install Update Manager.
2. Install the Update Manager plug-in into the vSphere Client.
3. Modify cluster settings.
4. Configure Update Manager.
5. Create a patch baseline.
6. Attach a baseline and scan for updates.
7. Stage patches onto ESXi hosts.
8. Remediate ESXi hosts.

VMware vSphere: Install, Configure, Manage Revision A

13-20
2011 VMware Inc. All rights reserved

Review of Learner Objectives


You should be able to do the following:
Describe Update Manager.
List the steps to install Update Manager.
Use Update Manager:

Create and attach a baseline.


Scan an inventory object.
Remediate an inventory object.

VMware vSphere: Install, Configure, Manage Revision A

13-21
2011 VMware Inc. All rights reserved

Key Points

Update Manager patches and updates ESXi 5.0 hosts as well earlier
versions of ESX/ESXi, virtual machines, templates, and virtual
appliances.
Update Manager reduces security vulnerabilities by keeping systems
up to date and by reducing the diversity of systems in an
environment.
Update Manager no longer patches guest operating systems or the
applications running within guest operating systems.

VMware vSphere: Install, Configure, Manage Revision A

13-22
2011 VMware Inc. All rights reserved