37

This seems basic, but I'm confused about the patching strategy involved with manually updating standalone VMware ESXi hosts. The VMware vSphere blog attempts to explain this, but the actual process is still not clear to me.

From the blog:
Say Patch01 includes updates for the following VIBs: "esxi-base", "driver10" and "driver 44". And then later Patch02 comes out with updates to "esxi-base", "driver20" and "driver 44". P2 is cumulative in that the "esxi-base" and "driver44" VIBs will include the updates in Patch01. However, it's important to note that Patch02 not include the "driver 10" VIB as that module was not updated.

This VMware Communities post gives a different answer. This one contradicts the other.

Many of the ESXi installations I encounter are standalone and do not utilize Update Manager. It is possible to update an individual host using the patches make available through the VMWare patch download portal. The process is quite simple, so that part makes sense.

The bigger issue is determining what exactly to actually download and install. In my case, I have a good number of HP-specific ESXi builds that incorporate sensors and management for HP ProLiant hardware.

  • Let's say that those servers start with an ESXi build #474610 from 9/2011.
  • Looking at the patch portal screenshot below, there is a patch for ESXi update01, build #623860. There are also patches for builds #653509 and #702118.
  • Coming an old version of ESXi (e.g. vendor-specific build), what is the proper approach to bring the system fully up-to-date? Which patches are cumulative and which need to be applied sequentially? Is installing the newest build the right approach, or do I need to step back and patch incrementally?
  • Another consideration is the large size of the patch downloads. At sites with limited bandwidth, downloading of multiple ~300mb patches is difficult.

enter image description here

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • 2
    Is there a reason why you would not just install Update Manager, and let it determine what patches you actually need? Are those really standalone as in "only 1 esx host without vCenter" ? – MichelZ Jun 18 '12 at 14:56
  • 2
    Yes. *Standalone*, as in a single host running without vCenter. Envision a branch office or a test environment or simply a site without the resources to purchase a license package that includes vCenter. Perhaps may even have Update Manager, but no failover resources (hosts) to actually apply the patches... – ewwhite Jun 18 '12 at 14:58
  • A license package with vCenter goes for 600$.. don't think that should be the problem :) But OK, see what you want. – MichelZ Jun 18 '12 at 15:01
  • @MichelZ But if you have a single host, it does not matter if you have a license. Update Manager won't work in that situation. – ewwhite Jun 20 '12 at 13:15
  • True, but you could at least let UM scan the host and be sure you have all patches you need – MichelZ Jun 20 '12 at 13:19
  • 6
    *The ESXi installations I encounter are standalone and do not utilize Update Manager.* – ewwhite Jun 20 '12 at 13:31

5 Answers5

6

ESXi patches are cumulative. I just went from Build Number: 623860 to Build Number: 721882 skipping several patches. No problems.

VMware Employee Kyle Gleed says "Patches are cumulative. We typically release patch bundles every 3 months. A new patch bulletin will include all the updates/fixes from any earlier bulletins."

http://blogs.vmware.com/vsphere/2012/02/understanding-esxi-patches-finding-patches.html

Hawk
  • 107
  • 2
  • 1
    I linked to that blog in my original post. Kyle also posts *"...but you need to pay attention to the VIBs included in each patch as we may not include all VIBs with the patch."* So the chances are that you're likely missing some updates. – ewwhite Jun 17 '12 at 02:41
  • I wouldn't go from base ESXi5 to latest patch. I would go from ESXi5 to Update1 to latest patch. If you are still concerned installed each patch one by one. – Hawk Jun 17 '12 at 03:03
  • That approach requires quite a few ~300mb downloads... – ewwhite Jun 18 '12 at 14:52
6

There is a new blog post from VMware

The relevant summary is:

In short, the answer is yes, the ESXi patch bundles are cumulative. However, when applying patches from the command line using the ESXCLI command you do need to be careful to avoid getting into a situation where you could miss some updates.

The key is when applying patches from the command line you need to make sure you apply patches using the “esxcli software profile update …” command and not the “esxcli software vib update …” command.

...

Patches are essentially updates to VIBs and are distributed as ZIP archives. These archives can be loaded into Update Manager, or they can be copied to the host and used with the ESXCLI command. It’s important to note that along with the updated VIBs the patch archives also includes the latest version of all the other VIBs in the image profile. When you download a patch you aren’t just downloading the updates. You’re getting the complete ESXi software image.

So, yes. They are cumulative as long as you install them properly.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
4

The patches appear to be cumulative, assuming you start with the most recent installable (.ISO-based) package as a foundation.

So my most recent example was pulling the ESXi 5.1 .ISO (build #799733) down and installing it onto my physical servers. From there, I had an option of build #838463 or #914609. Close analysis of the changelogs and knowledgebase entries showed that the #914609 build included everything from #838463. So I was able to go directly to that revision level, starting from the base install (#799733).

enter image description here

ewwhite
  • 194,921
  • 91
  • 434
  • 799
3

Given the complexity of their patching system, I would install the latest build and update from there if that is possible in your environment.

Store all of you downloads in one location, renaming them if necessary/possible so that you know the order to patch on your other systems with limited bandwidth. Put those files on a large USB and take it with you to your other locations.

Trying to figure out that goofy patch structure looks maddening.

SuperMykEl
  • 173
  • 8
  • 1
    What do you mean by "latest build"? Just ignore the updates and install the latest-available ISO image? The incremental build numbers listes in the screenshot above are not fully-installable images. So they are applied to a full ISO installation. – ewwhite Jun 28 '12 at 06:47
  • Yes, pretty much. If this is a possibility in your environment, and it would lighten your patch load so to speak, it would seem the safest, and most expedient way to me. – SuperMykEl Jun 28 '12 at 17:26
-2

ewwhite, You may have already come across this article but I had it bookmarked awhile back:

http://blogs.vmware.com/vsphere/2012/02/understanding-esxi-patches-finding-patches.html

Hopefully this helps

JMeterX
  • 3,387
  • 15
  • 31