vCenter

 View Only
  • 1.  Patching vSphere 7 lifecycle manager cluster images?

    Posted Jul 24, 2020 10:43 AM

    Can anyone explain how patching vSphere 7 LCM cluster image is done?

    I understand how you set up the first image, add the addons etc..

    But using baselines, you get patches regulary monthy or more often, while the ISO-updates used for images are released only when Vmware release a new minor update version, maybe every third month.

    If you use a OEM ISO image from certain manufacturers that delay is even longer, maybe two-three months longer on top of that.

    Basicly two questions comes out of that:

    * How are the LCM cluster image "patched" when Vmware release the patches, similar to baselane updates?

    * Should the base image be Vmware ESX image only, or OEM ESXi image (kind of defeating the Vendor Addon part of LCM)?



  • 2.  RE: Patching vSphere 7 lifecycle manager cluster images?

    Posted Jul 24, 2020 02:48 PM

    Hey

    On checking for recommended images on cluster level on demand ,when you view the recommended images on LCM you see the below three options

    •Current Image: The image specification that is running on the cluster.

    •Latest in Current Series: If available, a later version within the same release series appears. For example, if the cluster is running v Sphere 7.0 and vSphere 7.1 is released, an image based on v Sphere 7.1 appears.

    •Latest and Greatest: If available, a later version in a later major release. For example, if the cluster is running v Sphere 7.0 or 7.1 and v Sphere 8.0 is released, an image based on v Sphere 8.0 appears.

    Queries related to baseline and images for base image and OEM image

    vSphere Lifecycle Manager Images

    Baselines and Images: What is the Difference?

    Cheers!



  • 3.  RE: Patching vSphere 7 lifecycle manager cluster images?

    Posted Jul 24, 2020 03:17 PM

    Sure, that works for any new image release, but I worry about any urgent patches released between two "dot" releases.

    Say I have 7.0.0b installed and they find a problem of Meltdown/Spectre magnitude.

    With baselines, the patch would be available as soon as Vmware has a patch available for download.

    With LCM Image it sounds like we have to wait for next "dot" release of ESXi, which could be weeks or months away.

    That is what is something I have been trying to find out.



  • 4.  RE: Patching vSphere 7 lifecycle manager cluster images?

    Posted Jul 24, 2020 03:20 PM

    Of course a "custom image" could be built for the realy realy urgen fixes, but is sound much harder and errorprone than remediating with baselines.



  • 5.  RE: Patching vSphere 7 lifecycle manager cluster images?

    Posted Jul 24, 2020 03:37 PM

    hope this helps

    vSphere 7 - Lifecycle Management - VMware vSphere Blog

    vSphere Lifecycle Manager handles host patches in the following ways:

    • If a patch in a patch baseline requires the installation of another patch, vSphere Lifecycle Manager detects the prerequisite in thedepot and installs it together with the selected patch.
    • If a patch is in a conflict with other patches that are installed on the host, the conflicting patch might not be staged or installed. However, if another patch in the baseline resolves the conflicts, the conflicting patch is installed. For example, consider a baseline that contains patch A and patch C, and patch A conflicts with patch B, which is already installed on the host. If patch C obsoletes patch B, and patch C is not in a conflict with patch A, the remediation process installs patches A and C.
    • If a patch is in a conflict with the patches in the vSphere Lifecycle Manager depot and is not in a conflict with the host, after a compliance check, vSphere Lifecycle Manager reports this patch as a conflicting one. You can stage and apply the patch to the host.
    • When multiple versions of the same patch are selected, vSphere Lifecycle Manager installs the latest version and skips installing the earlier versions.


  • 6.  RE: Patching vSphere 7 lifecycle manager cluster images?

    Posted Jul 27, 2020 09:21 AM

    This is not correct. Every ESXi patch include patches for both VUM baseline and LCM Image. As seen,  7.0b and 7.0bs release has both VUM and LCM image



  • 7.  RE: Patching vSphere 7 lifecycle manager cluster images?
    Best Answer

    Posted Jul 31, 2020 08:29 PM

    Ok, I finally did the experiment myself to see what happends when using LCM Images and updates that are not applied.

    I set up a ESXi 7.0GA ESX and checked number of missing patches according to baselines : 23 patches, including 6 critical and 3 security

    So I switched to LCM Image and it prompted that baselines will be disabled for that cluster and cannot be reverted.

    I selected ESXi 7.0GA as "ESXi Version" in LCM during image setup.

    When the LCM Image setup was done, it claimed that my cluster was compliant.

    So the 23 missing patches were ignored, good luck with your security while awaiting for the next ESXi image to be released.

    While I do understand "desired state" thing and everything feels "this is the way to go", my opinion is that Vmware has missed a critical point in the "day 2" operations as the next security patch has to await next ESXi base image release instead of being incorporated immediately by LCM.



  • 8.  RE: Patching vSphere 7 lifecycle manager cluster images?

    Broadcom Employee
    Posted Jul 31, 2020 08:46 PM

    Moderator: Thread moved to the Update Manager area.