Patching Offline ESX servers with Vmware Update Manager

This is my brief guide to what I did to setup patching for isolated networks, like those in intellegence communities, etc. This is meant to help fill in some of the gaps that the documentation left in the process.

Install Update Manager Download Service

Setup a machine to be your Update Manager Download system:

• This machine must have Internet access.
• This system will require another database beyond what the Update Manager in Virtual Center uses, so you may not want to install it there.
• Also, you will need to burn CDs/DVDs or transfer files to a device
• This all being said, a workstation is a good candidate system

Install the Update Manager Download Service on the above machine. Take note of the installation folder and the folder where the downloads will be stored.

• Files are located in "umds" folder of the Virtual Center installation CD image
• Open the VMware-UMDS.exe file to install
• Select to use the local SQL 2005 Express database server

Download Current Updates

The best thing to do is setup a Windows Scheduled Task that downloads the updates automatically. The first step is to create a script to accomplish this manually then you can make it a scheduled task.

To get current downloads:

• Change to the "C:\Program Files\VMware\Infrastructure\Update Manager" directory
• Run the program: vmware-umds --download (or "vmware-umds -D")
• Get coffee! Really, the first run takes a loonngg time.

NOTE: It is possible to configure the download to only retrieve ESX host updates, Windows VM updates and/or Linux VM updates. To change which updates are downloaded use the following syntax:

• vmware-umds -S -h true | false
• vmware-umds -S -w true | false
• vmware-umds -S -l true | false

For example: vmware-umds -S -h true will d/l ESX host patches, vmware-umds -S -w false will NOT d/l Windows VM patches, etc. This can be useful if you want to verify the process but not spend time waiting for the Windows patches to download. Before running "vmware-umds -D", disable Windows and Linux and verify that the ESX patches are downloaded successfully

Once downloads are done you need to export to a local file repository:

• Change to the "C:\Program Files\VMware\Infrastructure\Update Manager" directory
• Run the program: vmware-umds -E --dest <FULL PATH TO YOUR REPOSITORY> -s 2007-01-01T00:00:00 -t 2007-12-31T23:59:59
• This downloads all the patches for 2007, specify different time ranges as required.

Once exported you need to export your repository to some sort of portable media, say a DVD (most likely a DL from what I have already seen!!!)

Import Updates to Virtual Center on Isolated Network

Now that your Internet connect machine has done all the dirty work, you need to get the updates into Virtual Center's Update Database:

• Get you update media connected to Virtual Center so it can access the files
• Change to the "C:\Program Files\VMware\Infrastructure\Update Manager" directory on Virtual Center
• Run the program: vmware-updateDownloadCli.exe --update-path <YOUR DRIVE LETTER HERE> --config-import windows esx --vc-user <YOUR VC USER>

This is a very brief explanation of what to do. See these fine documents below for more stuff:

VMWare Update Manager

http://www.vmware.com/pdf/vi3_vum_10_admin_guide.pdf