VCAP-DCA 5 Objective 5.2 – Deploy and Manage Complex Update Manager Environments

Objective 5.2 – Deploy and Manage Complex Update Manager Environments

For this objective I used the following resources:

  • Installing and Administering VMware vSphere Update Manager
  • Reconfiguring VMware vSphere Update Manger
  • VMware KB Article 1012382 “TCP and UDP Ports required to access vCenter Server, ESX/ESXi hosts, and other network components”
  • VMware KB Article 1004543 “VMware Update Manager network port requirements”

Knowledge

Identify Firewall Access Rules for Update Manager

Port Source Target Purpose
80 Update Manager Server VMware.com & xml.shavlik.com To obtain metadata for the updates, Update Manager must be able to connect to the target sites
80 ESXi Host Update Manager Server ESXi Host to Update Manager Server. The reverse proxy forwards the required to port 9084
443 Update Manager Server VMware.com & xml.shavlik.com To obtain metadata for the updates, Update Manager must be able to connect to the target sites
443 ESXi Host Update Manager Server ESXi Host to Update Manager Server. The reverse proxy forwards the required to port 9084
443 vCenter Server Update Manager Server vCenter Server to Update Manager Server. The reverse proxy forwards the request to port 8084
902 Update Manager Server ESXi Host To push patches and updates from Update Manager to the ESX/ESXi Hosts to be updated
1433 Update Manager Server Microsoft SQL Server Update Manager to Microsoft SQL Server connectivity (for UM Database)
1521 Update Manager Server Oracle Database Server Update Manager to Oracle connectivity (for UM Database)
8084 Update Manager Server vCenter Server SOAP between components of Update Manger Server and the vCenter Update Manager client plug-in. Configurable at install
9084 Update Manager Server ESXi Host ESX/ESXi hosts connect to the VUM webserver listening for updates. Configurable at install
9087 Update Manager Server vCenter Server Port used for uploading host update files. Configurable at install
9000-9100 ESXi Host Update Manager Server This is the recommend port range from which to choose ports for Update Manager if ports 80 and 443 are already in use. Update Manager automatically opens these ports for ESX Host scanning and remediation

 

Network port information provided by VMware KB Article 1004543 and VMware KB Article 1012382.

Skills and Abilities

Install and Configure Update Manager Download Service

In certain network environments your vCenter Server and Update Manager server may not have access to the internet directly or may have connectivity to a host who does. In these instances the use of Update Manager Download Service (UMDS) to download the patch binaries can be used.

  • UMDS Prerequisites
    • Ensure that the machine on which you install UMDS has Internet access
    • Uninstall prior versions of UMDS if installed
    • Update Manager DB needs to be configured and a ODBC connection configured on the host
    • UMDS and Update Manager must be installed on different machines
  • Installing UMDS
    • Insert the VMware vCenter Update Manager installation DVD in the DVD drive
    • Browse to the “umds” folder on the DVD and run “VMware-UMDS.exe”
    • Select the language for the installation and click OK
    • Review the Welcome page and click Next
    • Read the patent agreement and click Next
    • Accept the terms in the license agreement and click Next
    • Select the database options and click Next
    • Enter the Update Manager Download Service proxy settings and click Next
    • Select the Update Manager Download Service installation and patch download directories and click Next
    • Click Install to begin the installation
    • Click Finish when complete
  • Configuration Commands
  • To download ESX/ESXi host updates and virtual appliance updates:

vmware-umds –S –enable-host –enable-va

    • To download ESX/ESXi host updates and disable virtual appliance updates:

vmware-umds –S –enable-host –disable-va

    • To download only ESXi 5.x patches

vmware-umds –S –disable-host

vmware-umds –S –e embeddedEsx-5.0.0

Configure a Shared Repository

You must create the shared repository using the UMDS and host it on a web server or a local disk. The UMDS you use must be of a version compatible with Update Manager. Connect the vSphere Client to a vCenter Server system with which Update Manager is registered, and click Update Manager under Solutions and Applications on the Home page. Follow the below steps:

  • On the Configuration tab, under Settings, click Patch Download Settings
  • In the Patch Download Sources pane, select Use a shared repository
  • Enter the path or the URL to the shared repository

NOTE – You cannot use folders located on a network drive as a shared repository. Update Manager does not download patch binaries, patch metadata, and notifications from folders on a network share

  • Click Validate URL to validate the path. Make sure that the validation is successful, if the validation fails Update Manager reports a reason for the failure. You can use the path to the shared repository only when the validation is successful
  • Click Apply
  • Click Download Now to run the VMware vCenter Update Manager Update Download task and to download the patches and notifications immediately

Configure Smart Rebooting

Smart rebooting selectively restarts the virtual appliances and virtual machines in the vApp to maintain startup dependencies. You can enable and disable smart rebooting of virtual appliances and virtual machines in a vApp after remediation. Smart rebooting is enabled by default. If you disable smart rebooting, the virtual appliances and virtual machines are restarted according to their individual remediation requirements, disregarding existing startup dependencies.

Procedure:

  • Connect the vSphere Client to a vCenter Server system with which Update Manager is registered, and click Update Manager  under Solutions and Applications on the Home Page
  • On the Configuration tab, under Settings, click vApp Settings
  • Deselect Enable smart reboot after remediation to disable smart rebooting

Manually Download Updates to a Repository

Instead of using a shared repository or the Internet as a patch download source, you can import patches and extensions manually by using an offline bundle. You can import offline bundles only for hosts that are running ESX/ESXi 4.0 or later.

Prerequisites

  • The patches and extensions you import must bin in ZIP format
  • To import patches and extensions, you must have the Upload File privilege

Procedure

  • Connect the vSphere Client to a vCenter Server system with which Update Manager is registered, and click Update Manager  under Solutions and Applications on the Home Page
  • On the Configuration tab, under Settings, click Patch Download Settings
  • Click Import Patches at the bottom of the Patch Download Sources pane
  • On the Select Patches page of the Import Patches wizard, browse to and select the .zip file containing the patches you want to import
  • Click Next and wait until the file upload completes successfully
  • Click Next
  • On the Confirm Import page of the Import Patches wizard, review the patches that you import into the Update Manager repository
  • Click Finish

Your imported the patches into the Update Manager patch repository. You can view the imported patches on the Update Manager Patch Repository tab

Perform Orchestrated vSphere Upgrades

Orchestrated upgrades allow you to upgrade the objects in your vSphere inventory in a two-step process: host upgrades followed by virtual machine upgrades. You can configure the process at the cluster level for higher automation, or at the individual host or virtual machine level for granular control.
You can upgrade clusters without powering the virtual machine off as long as VMware Distributed Resource Scheduler (DRS) is available for the cluster. To perform an orchestrated upgrade, you must first remediate a cluster against a host upgrade baseline, and then remediate the same cluster against a virtual machine upgrade baseline group containing the VM Hardware Upgrade to Match Host and VMware Tools Upgrade to Match Host baselines.

Create and Modify Baseline Groups

Baselines contain a collection of one or more updates such as service packs, patches, extensions, upgrades, or bug fixes. Baseline groups are assembled from existing baselines. When you scan hosts, virtual machines, and virtual appliances, you evaluate them against baselines to determine their level of compliance.

Update Manager supports different types of baselines that you can use and apply when scanning and remediating objects in your inventory:

  • Upgrade Baseline – Defines which version a particular host, virtual hardware, VMware Tools, or virtual appliance should be.
  • Patch Baseline – Defines a number of patches that must be applied to a given host or virtual machine
  • Extension Baseline – Contains extensions (additional software such as third-party device drivers) that must be applied to a given host. Extensions are installed on hosts that do not have such software installed on them and patched on hosts that already have the software installed. All third-party software for ESX/ESXi hosts is classified as a host extension, although host extensions are not restricted to just third-party software.

Update Manager includes default baselines that you can use to scan any virtual machine, virtual appliance, or host to determine whether they have all patches applied for the different categories or are upgraded to the latest version. The default baselines cannot be modified or deleted:

  • Critical Host Patches – Checks ESX/ESXi hosts for compliance with all critical patches
  • Non-Critical Host Patches – Checks ESX/ESXi hosts for compliance with all optional patches
  • VMware Tools Upgrade to Match Host – Checks virtual machines for compliance with the latest VMware Tools version on the host Update Manager supports upgrading of VMware Tools for virtual machines on hosts that are running ESX/ESXi 4.0 and later
  • VM Hardware Upgrade to Match Host – Checks the virtual hardware of a virtual machine for compliance with the latest version supported by the host. Update Manager supports upgrading to virtual hardware version 8.0 on hosts that are running ESXi 5.x
  • VA Upgrade to Latest – Checks virtual appliances compliance with the latest released virtual appliance version

Create a Fixed Patch Baseline

  • Connect the vSphere Client to a vCenter Server system with which Update Manager is registered, and click Update Manager  under Solutions and Applications on the Home Page
  • On the Baseline and Groups tab, click Create above the Baselines pane, this will launch the New Baseline wizard
  • In the New Baseline wizard, under Baseline Type, select Host Patch and click Next
  • Select Fixed for the type of baseline and click Next
  • Select individual patches to include, and click the down arrow to add them to the Fixed Patches to Add list
  • (Optional) Click Advanced to find specific patches to include in the baseline
  • Click Next
  • Review the Ready to Complete page and click Finish

The fixed patch baseline is displayed in the Baselines pane of the Baselines and Groups tab

Create a Dynamic Patch Baseline

  • Connect the vSphere Client to a vCenter Server system with which Update Manager is registered, and click Update Manager  under Solutions and Applications on the Home Page
  • On the Baseline and Groups tab, click Create above the Baselines pane
  • In the New Baseline wizard, under Baseline Type, select either Host Patch and click Next
  • Select Dynamic as the type of baseline, and click Next
  • On the Dynamic Baseline Criteria page, enter criteria to define the patches to include, and then click Next
  • (Optional) On the Patches to Exclude page, select one or more patches in the list nad click the down arrow to permanently exclude them from the baseline
  • (Optional) Click Advance to select specific patches to exclude from the baseline
  • Click Next
  • (Optional) On the Other Patches to Add page, select individual patches to include in the baseline and click the down arrow to move them into  the Fixed Patches to Add list
  • (Optional) Click Advanced to select specific patches to include in the baseline
  • Review the Ready to Complete page and click Finish

The dynamic patch baseline is displayed in the Baselines pane of the Baselines and Groups tab

Troubleshoot Update Manager Problem Areas and Issues

Refer to chapter 17 “Troubleshooting” of the Installing and Administering VMware vSphere Update Manager documentation for troubleshooting examples and solutions.

Generate Database Reports Using MS Excel or MS SQL

Using Microsoft Excel, you can connect to the Update Manger database and query the database views to generate a common report:

  • Log  in to the computer on which the Update Manager database is setup
  • From the Windows Start menu, select Programs > Microsoft Office > Microsoft Excel
  • Click Data > Import External Data > New Database Query
  • In the Choose Data Source window, select VMware Update Manager and click OK
  • In the Query Wizard – Choose Columns window, select the columns of data to include in your query and click Next
  • Click OK in the warning message that the query wizard cannot join the tables in you query
  • In the Microsoft Query window, drag a column name from the first view to the other column to join the columns in the tables manually

Using a Microsoft SQL Server query, you can generate a common report from the Update Manager database. An example query is provided on page 179 of the VMware vCenter Update Manager Installation and Administration Guide.

Upgrade vApps Using Update Manager

vApps are managed in the same ways as hosts or vm’s. You will need to create a baseline and attach it to the vApp object. You then can perform scans and remediation’s as documented for hosts and vm’s.

Utilize Update Manger PowerCLI to Export Baselines for Testing

See pages 155 thru 158 of the Installing and Administering VMware vSphere Update Manager documentation for a full eight step workflow as well as the required PowerCLI script to complete this task

Utilize the Update Manger Utility to Reconfigure VUM Settings

The Update Manager Utility is available by default when you install either Update Manager or UMDS. The tools allows for post installation configuration of the following settings:

  • Proxy Settings
  • Database Settings (user name and password)
  • Re-register to vCenter Server
  • SSL Certificate

To launch the application browse to the installation directory for Update Manager or UMDS (be default should be C:\Program Files (x86)\VMware Infrastructure\Update Manager) and look for the VMwareUpdateManagerUtility executable. Below is a screenshot after launching the application and logging in:

VUMUtility

For additional information review the Reconfiguring VMware vSphere Update Manager documentation.