I recently was asked to patch an ESX 4 host for a customer.  This customer did not make use of VMware's Update Manager, and the customer also wanted a simple set of instructions to be provided for use in future patching. Below is a simplified bullet-item version of the ESX 4 Patch Management Guide that I presented to the customer.



On a Windows box, download the patch bundle directly from VMware. This will be .zip file.



On a Windows box with the vSphere client installed, use the vSphere client's datastore browser to upload the .zip file to a datastore on an ESX 4 host.



Obtain local console access, or SSH (putty), to the ESX 4 host that the bundle file was uploaded to.



Verify that the ESX 4 host disk free space is acceptable (2X the size of the bundle), using the command:


vdf -h



Move the bundle file off of the datastore and into /var/updates, using the command:


mv /vmfs/volumes/datastore/ESX400-200909001.zip /var/updates


Note: The directory /var/updates is used in this document, but any directory on a partition with adequate free space could substituted.

The patch bundle referenced in this document (ESX400-200909001.zip) was for the 09/24/2009 update release.  Adjust file names as required, for newer bundles.



Verify that the patch bundles aren't already installed (or if they are required), using the command:


esxupdate query



If applicable, use the vSphere client to put the ESX 4 host in maintenance mode.  Alternatively, use the command:


vimsh -n -e /hostsvc/maintenance_mode_enter


The following commands may also be used to list and then shut down virtual machines.  This is for environments without VMotion or for single hosts.


vmware-cmd -s listvms

vmware-cmd <full path to .vmx file> stop soft



To determine which bulletins in the bundle are applicable to this ESX 4 host, use the command:


esxupdate --bundle file:///var/updates/ESX400-200909001.zip scan



To check VIB signature, dependencies, and bulletin order without doing any patching (a dry run), use the command:


esxupdate --bundle file:///var/updates/ESX400-200909001.zip stage



If the stage (dry run) found no problems, then the bundle can be installed using the command:


esxupdate --bundle file:///var/updates/ESX400-200909001.zip update



When (or IF) prompted to reboot, use the command:




Note: Not all patches will require an ESX host reboot.



After the system boots, verify patch bundles were installed with the command:


esxupdate query



If applicable, take the ESX host out of maintenance mode with the command:


vimsh -n -e /hostsvc/maintenance_mode_exit



If applicable, restart virtual machines using the vSphere client or the following command:


vmware-cmd <full path to .vmx file> start



Delete the bundle zip file from the /var/updates folder, using the command:


rm /var/updates/*.zip



Verify that host disk free space is still acceptable, using the command:


vdf -h


As always, thanks for reading!