vSAN1

 View Only
Expand all | Collapse all

Keep vSAN Cluster updated

  • 1.  Keep vSAN Cluster updated

    Posted Feb 14, 2022 10:52 AM

    Hi,

    Just looking for the best recommended approach to update a production vSAN Cluster:

    • A Cluster is built from vendor custom ESXi image such as Dell.
    • A vSAN Cluster has a recommended baseline that is automatically attached to it. (Assume this gets updated automatically also)
    • More over there are Host Security and Critical Patches baselines that are also attached it.

    What is the process of updating the Cluster?

    I am referring specifically to the ESXi version, we can skip the step about verifying HCL as aware of that.

    Should I stick to what the Baseline Group vSAN Cluster states and remediate the Cluster and stop there. (After all this is probably why there is this baseline to just stick to it as it will be well tested)

    OR

    Should I also apply Host Security and Critical Patches? If so, should I just tick both checkboxes to apply latest patches or should I create a more specific baseline for each with just the required rollup update/patch?

     



  • 2.  RE: Keep vSAN Cluster updated
    Best Answer

    Posted Feb 24, 2022 09:08 PM

    So the recommendation is to use Image Based patching for vLCM.  When using baselines, the baseline will update at some point with new ESXi versions.  Remember, vSAN is part of vmkernel, but not always patched or updated with every ESXi update.

    Patching really doesn't change in regards to when and what, always, within reason and your own policies, keep your systems up to date.  

    You don't mention if you have stretched or 2-node clusters.  If so, there's some added steps with the whole witness appliance.



  • 3.  RE: Keep vSAN Cluster updated

    Posted Feb 24, 2022 09:34 PM

    Just a standard vSAN cluster (no stretched or 2 node)

    ok so far I am keeping compliance with the vSAN recommended Baseline and not applying the Security and Critical Updates.

    I will try to find out more about vLCM, I am used to apply vendor bootable ISO for firmware and then apply vendor Custom ESXi image on top of it. So not sure how this process will change with vLCM as I find the vendor firmware ISO handy to apply all firmware updates at once.



  • 4.  RE: Keep vSAN Cluster updated

    Posted Feb 25, 2022 04:21 PM

    vLCM in vSphere 7.x definitely makes that easier if you have vendor integration tools.  For me, we're a Dell shop, so Open Manage Integration for VMware vSphere (OMIVV) take the guesswork of firmware out of the equation, and using Single Image on vLCM, the drivers are take care of as well.

    I would still apply the Security and Critical updates from a reliability and security standpoint, won't hurt anything, just review the Release Notes.



  • 5.  RE: Keep vSAN Cluster updated

    Posted Feb 25, 2022 06:35 PM

    So this is what I understood:

    vSAN recommended basline is updated but not immediately when there are Critical/Security updates. (Guess this delay is for ensuring proper testing and vSAN Cluster stability)

    To update immediately one needs to create a new Baseline that includes the respective Rolling Update and apply to the Cluster (on top of the recommended vSAN cluster baseline)

    I could not find any related Best Practices documentation for Updating a vSAN Cluster that covers the above points.

    OMIVV: will check requirements/costs etc...



  • 6.  RE: Keep vSAN Cluster updated

    Posted Feb 28, 2022 09:15 PM

    Yeah, the best practices don't exist unfortunately, I really wish they did.  The general guidance is to follow "standard" policies.



  • 7.  RE: Keep vSAN Cluster updated

    Posted Mar 01, 2022 05:30 AM

    Yes sometimes you enter a loop as in "standard polices" say follow vendor best practices - thanks for confirming and appreciate your input.



  • 8.  RE: Keep vSAN Cluster updated

    Posted Mar 02, 2022 10:14 PM

    , Just a brief point from recent discussions with my colleagues - the vSAN baselines have not been updated in *quite* a while, these are scheduled to be updated in the next few days.



  • 9.  RE: Keep vSAN Cluster updated

    Posted Mar 03, 2022 06:00 AM

    Noted, so far I am remediating with existing vSAN Cluster recommended baseline after applying latest ESXi 7.0.2 Custom Dell Image.

    I will check back in a few weeks time for an updated baseline and remediate accordingly.

    andvm_0-1646287122613.png

     



  • 10.  RE: Keep vSAN Cluster updated

    Posted Mar 04, 2022 06:36 PM

    So I did notice on my clusters that still use baselines, the vSAN Recommendation Baseline did update, but due to the bugs with ESXi 7.0 U3 in the past, you cannot use a patch baseline to update, so this default baseline is actually worthless.  The good side is you know VMware and Dell has "blessed" ESXi 7.0 U3c for vSAN. 



  • 11.  RE: Keep vSAN Cluster updated

    Posted Apr 11, 2022 10:33 AM

    FYI - I installed latest vendor ESXi Image for ESXi 7.0U3 and applied vSAN Baseline which yes looks to have been updated now as includes patches ESXi70U3d-19482537

    andvm_0-1649673162527.png

     



  • 12.  RE: Keep vSAN Cluster updated

    Posted Jul 14, 2022 09:19 AM

      

    so vSAN recommended baseline remains on ESXi70U3d-19482537

    Under Lifecycle Manager and Updates I see ESXi70U3e-19898904 and ESXi70U3f-20036589 (and ESXi70U3sf-20036586 - not sure about the s meaning?)

    Should I (I mean is it safe and recommended) patch vSAN clusters with ESXi70U3f-20036589 (on top of vendor custom ESXI) or the fact that they are not included in the vSAN recommended baseline means they need to undergo testing for vSAN Clusters by VMware and thus I should wait?

     

    Thanks

     



  • 13.  RE: Keep vSAN Cluster updated

    Posted Sep 06, 2022 08:59 PM

    My understanding is to stick with the vSAN recommended baselines as those are tested and vetted for vSAN.  You should be applying the firmware and drivers from the vendor separately, I use Open Manage Integration for VMware vSphere (OMIVV) since I use Dell equipment, but look into how to do this for your specific hardware.