In last post of this series we learnt how to install VUM and discussed why we need VUM and how it can simplify the update and upgrades in a large infrastructure and thus make life of a VMware admin easy.
In this post we will see how to configure various settings in VUM and how to create baselines and attach the baselines to host/cluster and then how to remediate hosts.
If you have missed earlier posts of this series then you can access the same by clicking on below links:
3: Installing and Configuring Esxi Server 6
5: Enabling AD Authentication for vCenter Server
6: vCenter Server 6 Basic Configuration
7: Configuring dvSwitch & Port groups
9: Installing vSphere Update Manager
Configuring VUM is fairly easy task and there are not much settings involved in it. Lets see what are the steps involved.
Login to the vSphere Web Client and navigate to Home page and click on Update Manager to open the VUM configuration page.
Go To Manage > Settings to open VUM settings
1: The first section is Network Connectivity and generally we don’t make any changes here. Just verify the SOAP port and IP of the VUM server.
2: The next setting is Download settings. Generally we dont do any changes here but If you have a local shared repository, or need to set proxy settings then you can define those settings here.
By default patches will be downloaded from custom pre-defined URL’s which are auto populated in the list but you can add more URL’s for downloading the patches, for e.g. a URL provided by any vendor to download vendor specific updated packages.
Additional URL’s can be added by clicking the Edit button. Also if you have a local repository where you have downloaded the patches, then you can import those as well by clicking on Import Patches button.
3: Next setting is Download Schedule. Basically you will be configuring time settings for downloading the update packages from the URL’s defined in Download Settings.
I like it to set to early morning time say for e.g 3 AM, so that VUM should not choke my production bandwidth at business hours.
Also you can add an email address so that you can be notified if the patch download process is successful or encounters any error.
Download schedule can be changed by clicking on the Change button on Right side, as marked in below screenshot.
Click on change button to select the downloading options like VUM should download updates everyday or once in a week (and if so which day of the week).
You can also select Run this action now if you immediately want to start downloading the update patches or can schedule it at later time by selecting Setup a recurring schedule for this action and provide a date and time for scheduling this task.
Hit OK when you are done with configuration.
On Ready to complete page review your settings and hit Finish.
4: Next is to configure Notification Check Schedule.
Notification Check Schedule settings is to let you know when VMware has pushed notifications about any patch. For e.g. VMware wants to recall a patch due to some issues in the patch, You and your team should be notified immediately about it so that you can refrain yourself from accidentally installing that patch in your production environment or if it is already deployed, then you should remove it from your servers as soon as possible.
And for this very reason it is best practice to put an monitoring email address in the Notification Check Schedule and generally this is an email of which all VMware admins are part of.
Click on Edit button to configure this settings. You can configure when should VUM check for Notifications (if there are any) about patches and if found then to which email address forward an email to let the VMware Admins know about the notifications. Click on change button to change the settings.
On Ready to finish page review your settings and hit finish.
5: Under Virtual Machine Settings you can choose whether or not VUM should take snapshots of VM’s during upgrades.– I personally like to enable the snapshot option so that if anything goes wrong VM can be reverted to a working state.
You can click on Edit button to enable or disable this option. Also if you have chosen to go with snapshots then you can define how long VUM should keep that snapshot before committing it. (Keeping snapshots for longer period of time is not a good practice)
6:Next is to configure ESX Host / Cluster Settings. This is the most important configuration options available under VUM and should be configured with utmost attention and proper actions should be chosen (this is generally decided at the time of designing the infrastructure)
I will not discuss all the settings here but only those settings which can cause issues with remediation of Esxi hosts.
For e.g. Set Disable removable media option to yes so that if any removable media like CD ROM is causing issues for VM’s (not letting VM’s to be migrated) and which in turn not letting Esxi host to go into maintenance mode (VUM will put host into MM before remediating) then it can be removed.
Second important setting can be here to Disable Admission Control temporarily. I have seen issues in past where Admission Control won’t allow Esxi host to go into MM if the sufficient failover capacity can’t be maintained while a host being put in MM by VUM.
Also if your cluster is heavily loaded then best practice is not to go with parallel remediation so that if a failure of Esxi host happens when VUM is remediating other Esxi host then VM should not suffer resource scarcity due to less number of alive host available. But if you are working in a new cluster with very few or no VMs, You can go for Enabling parallel remediation as it can greatly speed things up.
7: Last setting is to enable Smart reboot after remediation option for vApps.
Creating baselines for Esxi Hosts
Next is to create baselines for esxi host. Go to Manage > Host baselines to start creating baselines for your Esxi hosts.
By default you will see two Patch Baselines, and no Extension or Upgrade Baselines. Also there are no Baseline Groups.
Click on the green + button to add a new baseline.
I am going to create a new baseline which will only include critical security updates.
Give a name for the baseline and an optional description. Select Host Patch and hit Next.
Select Dynamic under patch Options.
The Dynamic one is always current. What that means is that, every time when VUM will reach out to VMware (3 AM morning as per our Download Schedule we defined earlier) and see if there is any new patches to download and download if necessary.
Hit Next to continue.
Since I created this baseline to include only critical security patches from VMware, I selected the following under Criteria:
Patch Vendor: VMware, Inc
Product: Embedded esxi 6.0.0
Severity: Critical
Category: Security
Hit Next to continue.
If you want to exclude any set of patches from your baseline, then do so under patches to exclude settings and hit Next.
If you want to include any specific patches to your baseline, then select the appropriate patches under Additional Patches and hit Next.
On Ready to Complete page, review your settings and hit Finish.
Creating Baselines for VM/Virtual Appliances
There is nothing much to do here except you can create baselines for upgrading specific virtual appliances like vSphere replication or VDP (If you have these in your infrastructure) to upgrade them using VUM.
Click on green + button to create a new baseline for VA’s.
I am creating a new baseline to upgrade my vSphere Replication Appliance to latest version.
Under Name and Type provide a name and an optional description to your baseline and hit Next.
Note: By default Baseline type is set to VA upgrade and you dont have anything else to chose here.
Under Upgrade Options click on Add Multiple Rules, to add an upgrade rule for your VA and hit Next.
I Selected VMware Inc as Vendor and chose vSphere replication Appliance from the product list and selected Latest under Upgrade to option.
Hit OK after making the selection.
The selected VA will now appear in the list. Hit Next to continue.
On Ready to Complete page, review your settings and hit Finish.
Attaching Baseline to Hosts/Clusters
Once you have finished creating the baselines, next task is to attach them to clusters or individual hosts which you want to update using VUM.
Select the cluster and click on Attach Baseline button under Update manager tab.
Select the baseline which you want to attach to your cluster and hit OK.
I have attached my Security patch baseline to my cluster as I want to update all my Esxi hosts that are in the cluster.
Scanning the objects
After attaching the baseline the next job is to scan the objects (host/cluster) to see if they are compliant to the baseline or not. If the patches that are included in the baseline are not present on the objects then they will report Non-Compliant as shown in below screenshot.
Click on Scan for Updates and select the appropriate options and hit OK.
Immediately VUM will trigger a task to scan the objects and which can be monitored under recent tasks pane.
Remediation
Remediating the hosts is the fun part. There are 2 approach for hosts remediations:
1: Stages the patches first on all Esxi hosts so that it can speedup the remediation process faster when actual remediation is needed and triggered.
2: Remediate the host as soon as Objects scanning has been finished.
It is always a good idea to stage the update patches on host first and then later remediate them and I am also going to follow the same approach.
Staging the patches
To stage the patches on the hosts, select your cluster and navigate to Update Manager tab and select Stage patches.
Select the baseline which will be staged on Esxi hosts and click Next.
Select the hosts on which you want to push the patches and hit Next.
Choose the patches and hit Next.
On Ready to Complete page, review your settings and hit Finish.
Again you will see some tasks triggered by VUM in Recent tasks pane. Wait for Stage patches task to complete. It can take some time depending upon your network speed and how many patches are being staged and how many Esxi hosts are selected for staging those patches.
Remediating Esxi hosts
Remediating the hosts is the final step.
Select the cluster and click on Remediate button under Update Manager tab.
Select the baseline/baselines and hit Next.
Select the Esxi hosts which you want to remediate and hit Next.
Under Patches and Extensions, select the patches which will be installed on the hosts and hit Next.
You can choose to schedule the remediation task to a later time or can run immediately. I have chose to run it immediately as this is my lab environment.
Under Host remediation options select the actions that will be taken on host when it will be remediated for e.g. Disable removable media, or how many time VUM will try to push a host in MM before remediating it.
Hit Next after making your selection.
Under Cluster remediation options again chose the appropriate options as per your environment. We have already discussed these options earlier in this post while configuring VUM settings.
Hit Next to continue.
On Ready to Complete page, review your settings and hit Finish.
You will see that VUM will start pushing host in MM and the remediation progress can be watched under Recent Tasks pane.
Once all your hosts are remediated, you will see now they are compliant with the attached baseline. This means all hosts now have the patches which you have defined in the baseline.
With this we have completed the vUM configuration and saw how it works.
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂
Pingback: Configuring vSphere Update Manager – Virtual Reality