Objective 6.1 – Install, configure and manage VMware vCenter Update Manager
Determine installation requirements and database sizing
The VMware vCenter update manager (VUM) can be run on the same server as vCenter but the minimum requirements are:
- two processors (2GHz)
- gigabit ethernet network adapter
- 2GB RAM (dedicated server) 4GB RAM (shared with vCenter)
VUM supports the following database server software: Microsoft SQL server 2005, 2008, 2005 express edition, Oracle 10g release 1, 10g release 2 and 11g release 1. NOTE: Express edition is only recommended for small deployments i.e. 5 hosts and 50 virtual machines.
For database sizing help download the following spreadsheet: vsp_vum_41_sizing_estimator/
NOTE: Big gotcha! – If you install vCenter and configure linked mode before you install VUM you will need to install a instance of VUM per vCenter instance.
Install VUM and client components
Before starting the installation ensure have the following:
- vCenter IP address
- vCenter service username
- vCenter service password
- vCenter HTTP port (TCP Port 80 by default)
- a 32 bit ODBC DSN configured for the VUM database.
- at least 20GB of diskspace for patches.
To install VUM follow the steps below:
vCenter Update Manager > accept EULA > Next > define vCenter IP address, port, service Username and password > Next > specify database [exisitng database and DSN | use SQL express] > Next > DSN summary (if you haven’t specified integrated authentication for the DSN then you’ll need to specify a username and password) > Next > define VUM IP address and ports > Next > define installation and patch download directories > Next > Install.
Once VUM has been installed you can install the plug-in from the vSphere client > plug-ins > manage plug-ins > follow the wizard to complete the installation.
Configure Update Manager settings
The configuration settings allow you to define how VUM will handle virtual machine upgrades and host upgrades.
The virtual machine upgrade configuration settings allow you to define whether VUM will snapshot the virtual machine first and if so how long will it keep the snapshot for.
The options are:
- check whether to enable snapshots
- Indefinite snapshots
- fixed period snapshots
The host upgrade configuration settings allow you to define what happen should a host fail to go into maintenance mode.
The options are:
- fail and alert the administrator
- retry x no. of times as defined by the administrator
- power off the virtual machines and retry
- suspend the virtual machines and retry
The above configuration settings are defined via the vSphere client; VUM > configuration > Settings > [virtual machine settings| ESX host settings] > settings defined above.
Configure patch download options
The communication port for VUM > vCenter is TCP port 80.
The communications port for ESX/ESXi > VUM is TCP port 9084 (package downloads).
The communications port for VUM > ESX/ESXi is TCP port 902 (packages pushed from VUM).
The VUM client connects to the VUM SOAP instance on TCP port 8084 and the VUM web server instance on TC port 9087.
NOTE: VUM supports scanning hosts and virtual machines over IPv4 but only supports scanning of hosts over IPv6.
The patch download sources can be defined via update manager > configuration > settings > patch download settings.
An optional component of VUM is the Update Manager Download Server (UMDS) this allows you to download patches to a server connected directly to the internet. This is the preferred option where security policies define your internal infrastructure network must be isolated from the internet.
NOTE: UMDS is configurable via the command line only e.g. vmware-umds –set-config –enable-host 1
Baselines are key to successfully updating your ESX/ESXi hosts, virtual machines and virtual appliances and highlighting the latter that are non-compliant.
The default baselines:
- Critical VM patches
- Non-critical VM patches
- Critical host patches
- Non-critical host patches
- VMware tools upgrades
- VM hardware upgrades
- VA upgrades to latest version
- VA upgrades to latest critical
The permissions required to manage the creation and modification of baselines is the manage baseline permission.
Baselines can be dynamic or fixed; dynamic baselines are broad in definition i.e. it could contain all critical patches whereas fixed baselines are defined by the administrator.
Baselines are created by connecting to vCenter via the vSphere client.
vSphere client > Update Manager > baselines and groups > create > name and description > baseline type [host patch | host extension | host upgrade | VM patch | VA upgrade] > Next > [fixed | dynamic] > define which patches you wish to filter on.
Attaching baselines to vCenter inventory objects
Once the baseline has been created you’ll need to attach it to a object in vCenter such as a cluster, folder, host or virtual machine. Baselines are attached from the Update Manager tab within the hosts and cluster view.
Scan ESX/ESXi hosts and virtual machines
You can schedule a scan for updates using the task scheduler; the task scheduler allows you to specify hosts, virtual machines or virtual appliances and baseline type. VUM scans the host TCP port 80 (if 80 is being used then port 9000 – 9100 will be used); virtual machines are scanned via a locally installed agent.
Remediate ESX/ESXi hosts and virtual machines
The remediate process is clever enough to apply upgrades first, then patches and patch dependancies. Any conflicting patches will not be installed unless a superseding patch is available which fixes the said conflict.
ESX 3.5 hosts are remediated using cumulative rollups whereas the ESX 4.x hosts are packaged into VIBs; VIBs can contain one or several patches.
Stage ESX/ESXi host updates
Staging patches speeds up remediation because patches are stored locally; this reduces the downtime and allows patches to be applied whilst the host is still running. Staging is only supported by ESX 4.0.
To stage patches login to vCenter via the vSphere client > Hosts and clusters > right click a host > select stage patches > select the baseline > ESX hosts which should download the patches > finish.
Analysing compliance information from a scan
VUM creates a report detailing compliant and non-compliant vCenter objects i.e. hosts or virtual machines.
In order to run the compliance report you need read-only permissions on the object and the object must have an attached baseline.
To view the compliance report; login to vCenter > select [host and clusters | virtual machines and templates] > select an applicable objects > Update Manager tab.