VMware
1 2 3 Previous Next 36 Replies Last post: Nov 5, 2009 9:24 PM by Hiney   Branched to a new thread.

esxupdate patch script posted: May 11, 2007 7:53 PM

Click to view jasonboche's profile Champion
jasonboche
5,896 posts since
Jan 7, 2004
As discussed at the 3/9 VMUG meeting, how to automate ESX patches using esxupdate and a patch repository FTP or WEB server. The following script example uses a WEB server.

Patches should be installed in order by month released (ie. First January, then February, March, etc.). For that reason, I prefer to group patches on the repository server by release date.
There should be no running VMs on the host prior to patching or patching may fail.

esxcfg-firewall -allowOutgoing
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/11-30-06/ESX-1006511 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/11-30-06/ESX-1410076 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/11-30-06/ESX-2158032 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/12-28-06/ESX-2066306 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/12-28-06/ESX-6921838 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/12-28-06/ESX-8173580 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/12-28-06/ESX-9986131 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/01-31-07/ESX-1271657 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/01-31-07/ESX-1917602 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/01-31-07/ESX-2031037 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/01-31-07/ESX-2092658 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/01-31-07/ESX-3996003 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/01-31-07/ESX-5497987 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/01-31-07/ESX-6075798 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-05-07/ESX-3199476 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-05-07/ESX-5031800 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-05-07/ESX-5885387 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-05-07/ESX-6050503 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-05-07/ESX-6856573 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-05-07/ESX-9865995 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-29-07/ESX-1541239 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-29-07/ESX-2257739 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-29-07/ESX-2559638 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-29-07/ESX-6431040/ESX-1161870 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-29-07/ESX-6431040/ESX-3416571 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-29-07/ESX-6431040/ESX-5011126 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-29-07/ESX-6431040/ESX-7737432 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-29-07/ESX-6431040/ESX-7780490 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-29-07/ESX-6431040/ESX-8174018 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-29-07/ESX-6431040/ESX-8852210 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-29-07/ESX-6431040/ESX-9617902 update
esxupdate --noreboot -r http://<yourwebserver>/esxupdate/03-29-07/ESX-9916286 update
esxcfg-firewall -blockOutgoing

Reboot after patching is complete

Also see the following URL for a specific issue to watch out for when using IIS as a repository server: http://www.vmware.com/community/message.jspa?messageID=595628#595628

Message was edited by:
jasonboche

I added the 3/29 patches to the script

Re: esxupdate patch script

1. Mar 12, 2007 6:49 PM in response to: jasonboche
Click to view kix1979's profile Champion
kix1979
3,769 posts since
Oct 14, 2004
Nice one, I found this today as well :)

http://virtrix.blogspot.com/2007/03/vmware-autopatching-your-esx-host.html

Kix!

Re: esxupdate patch script

2. Mar 12, 2007 7:44 PM in response to: kix1979
Click to view jasonboche's profile Champion
jasonboche
5,896 posts since
Jan 7, 2004
Indeed a nice script, however, for security reasons, I disagree with this step:


On the HTTP Headers tab, MIME Types button: add .* and ‘application/octet-stream’


See:
http://www.vmware.com/community/message.jspa?messageID=595706#595706

Re: esxupdate patch script

3. Mar 13, 2007 6:24 AM in response to: jasonboche
Click to view kix1979's profile Champion
kix1979
3,769 posts since
Oct 14, 2004
Good point, wild cards = scary.

Re: esxupdate patch script

4. Mar 13, 2007 6:42 AM in response to: jasonboche
Click to view ctyke's profile Lurker
ctyke
2 posts since
Mar 13, 2007
Here is the script I had in my Power Point, it uses FTP insted of http, of course change the path to point at your ftp server.

esxcfg-firewall -allowOutgoing

esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-1271657 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-1917602 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-2031037 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-2092658 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-3996003 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-5497987 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-6075798 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-2066306 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-6921838 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-8173580 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-9986131 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-1006511 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-1410076 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-2158032 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-3199476 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-5031800 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-5885387 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-6050503 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-6856573 update
esxupdate --noreboot --force -r ftp://192.168.16.200/vmware/updates/ESX-9865995 update
esxcfg-firewall -blockOutgoing

Message was edited by:
ctyke

Re: esxupdate patch script

5. Mar 13, 2007 7:09 AM in response to: ctyke
Click to view chris.trevino's profile Lurker
chris.trevino
2 posts since
May 25, 2006
A couple of questions:

1) where in the start up order to you put the script? s99xxxxx ?
2) do you gracefully shutdown the VMs first - just in case?
3) was there a particular reason that you used the FORCE option?
4) are you applying all of the patches just in case? many of them are to address very specific issues.

Thanks.

Re: esxupdate patch script

6. Mar 13, 2007 7:17 AM in response to: chris.trevino
Click to view jasonboche's profile Champion
jasonboche
5,896 posts since
Jan 7, 2004
A couple of questions:

1) where in the start up order to you put the script?
s99xxxxx ?


The script is not run in any of the ESX startup scripts. The script is run on the Service Console after the server is booted up, through PuTTY would be best so you can copy/paste.

2) do you gracefully shutdown the VMs first - just in
case?

Absolutely. There must be no running VMs on the ESX server that you are patching.

3) was there a particular reason that you used the
FORCE option?


4) are you applying all of the patches just in case?
many of them are to address very specific issues.

I am but as some are hardware specific, it's not entirely necessary to install all of them.

Re: esxupdate patch script

7. Mar 13, 2007 7:21 AM in response to: ctyke
Click to view jasonboche's profile Champion
jasonboche
5,896 posts since
Jan 7, 2004
Thanks again Chris for your presentation on 3/9. It was excellent! Don't forget to sign up for the VMware Core Customer Program so you can have points added to your account for your VMUG presentation. If you are unsure of how to get started in the VMware Core Customer Program, contact me via Email and I can help you out.

Jas

Re: esxupdate patch script

8. Mar 13, 2007 8:31 AM in response to: jasonboche
Click to view ctyke's profile Lurker
ctyke
2 posts since
Mar 13, 2007
We used the force option because some of the patches didn't take. We found this option recommended in some of the forums.

Re: esxupdate patch script

9. Mar 13, 2007 11:59 AM in response to: ctyke
Click to view jasonboche's profile Champion
jasonboche
5,896 posts since
Jan 7, 2004
I will have to investigate that. -force sounds like a good thing because I'm not interested in failing patches.

On the flip side of the coin, inquiring minds want to know why the patches would fail w/o the -force option, but they install successfully with the -force option? Perhaps the ESX host does not meet one or more of the patching requirements at the time of patching?
Examples off the top of my head:
1. There are running VMs on the host?
2. Host is not in maintenance mode?
3. Patches are installed out of order, thus older versions of patches are being installed over the top of superceding patches?
4. Improper version of ESX for the patches that are being installed (ie. installing 3.0.0 patches on a 3.0.1 host)
5. ?

Re: esxupdate patch script

10. Mar 13, 2007 12:51 PM in response to: jasonboche
Click to view BrianG's profile Champion
BrianG
3,670 posts since
Oct 31, 2005
One thing you want to make sure is to keep the patch order in line with their release dates: especially when patch filenames are not sequential and when you use force option. If you don't consider this, then you will end up overwriting newer rpm with older version.

ESX-3199476.tgz (New) and ESX-6075798.tgz (old) is a good example. They both have updated VMware tools ISO files and if you just go with file name and force option while applying all patches at once, you will overwrite newer tools with older version. Without force option esxupdate will not downgrade a patch.

Re: esxupdate patch script

11. Mar 13, 2007 1:07 PM in response to: BrianG
Click to view jasonboche's profile Champion
jasonboche
5,896 posts since
Jan 7, 2004
That is why in my web repository for patches, I'm choosing to make sub directories which the names are based on the release date as per VMware's download website.

Then by looking at the patch script, I can tell what order they are being installed in respective to what date they were released. ie. November, December, January, March, etc.

As far as what order I'm installing inside of one month, I'm just going in order of the patch number ASCENDING order, assuming it doesn't matter anyway, ie. no patch in March would supercede another March patch!

Re: esxupdate patch script

12. Mar 13, 2007 2:23 PM in response to: jasonboche
Click to view BrianG's profile Champion
BrianG
3,670 posts since
Oct 31, 2005
Sounds right.

My point was just to say use -force with caution.

I would not force a patch as a default action.

Like you said, I would want to know if a patch install failed and determine why instead of just forcing blindly.

Re: esxupdate patch script

13. Mar 13, 2007 2:36 PM in response to: jasonboche
Click to view HennITLS's profile Enthusiast
HennITLS
50 posts since
Aug 3, 2006
Jason,

I have a very nu-bee question to this ftp depot patching procedure. Does the "ESX-#######" refer to the folder created after tar'ing the .tgz file and the esxupdate knows that it needs to go in there to find the update?

esxupdate --noreboot -r http://<yourwebserver>/esxupdate/11-30-06/ESX-1006511 update

Re: esxupdate patch script

14. Mar 13, 2007 2:51 PM in response to: HennITLS
Click to view BrianG's profile Champion
BrianG
3,670 posts since
Oct 31, 2005
/esxupdate/11-30-06/ ESX-1006511

In the above example, if the ESX-1006511.tgz file was put in the esxupdate/11-30-06 directory and untared it would have created the directory ESX-1006511 under it with the rpm(s) in it.

Else the file could have been untared elsewhere and the files could have been copied to the esxupdate/11-30-06/ ESX-1006511 directory.
1 2 3 Previous Next Go to original post

Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities