Hello,
I have two ESXi Hosts with around about 700 applicable patches.
What is the difference between "Stage Patches" und "Scan for Updates" ?
Do I need maintenance mode to stage patches?
Kind regards,
Roland
Hi there,
Scan for Updates will scan the hosts against any patch baselines you have attached to them, and report back as to the status of that host against the baseline, so essentially Scan for Updates will tell you which patches and updates from your baseline are missing from the host if returning 'non-compliant', or 'compliant' if all the patches are already installed. It might also return 'Unknown' or 'Incompatible' depending on the state of the host and other factors.
Stage will essentially copy all update and patch files that are to be installed over to the host ready for Remediation, which will actually install the patches. Staging updates does not impact service so you do not need to place the host in maintenance mode whilst staging, the host only needs to be in maintenance mode during Remediation. You can trigger a remediation without staging, but the benefit of staging first is that you will reduce the amount of time your host is out of action because all the patches and updates are already in place pending the final commit, meaning the remediation stage is a lot quicker.
Hope this helps.
vM
-----------------------
VCAP-DCD / VCAP-DCA / VCP-CLOUD / VCP-DT / VCP5 / VCP4
-----------------------
vMustard.com
Hi there,
Scan for Updates will scan the hosts against any patch baselines you have attached to them, and report back as to the status of that host against the baseline, so essentially Scan for Updates will tell you which patches and updates from your baseline are missing from the host if returning 'non-compliant', or 'compliant' if all the patches are already installed. It might also return 'Unknown' or 'Incompatible' depending on the state of the host and other factors.
Stage will essentially copy all update and patch files that are to be installed over to the host ready for Remediation, which will actually install the patches. Staging updates does not impact service so you do not need to place the host in maintenance mode whilst staging, the host only needs to be in maintenance mode during Remediation. You can trigger a remediation without staging, but the benefit of staging first is that you will reduce the amount of time your host is out of action because all the patches and updates are already in place pending the final commit, meaning the remediation stage is a lot quicker.
Hope this helps.
vM
-----------------------
VCAP-DCD / VCAP-DCA / VCP-CLOUD / VCP-DT / VCP5 / VCP4
-----------------------
vMustard.com
Hi,
thank you for answering.
Some of the listed patches in patch details are marked in the column "Impact" with "Maintenance Mode".
Does this refer to staging or remediate patches?
Kind regards,
Roland
No Problem! The listed 'Impact' for a patch indicates what is required in order to install that particular patch and is only applicable when you remediate- staging updates and patches have no impact to service and will never require you to place a host in maintenance mode, the point of staging is that it saves reduces the downtime required to install patches by making everything local to the host prior to having to take the server offline to install them- It's the equivalent of arranging a fifteen minute outage to install a SQL Server Service Pack for example where you download and copy the update to the server the night before say, compared to arranging an hour outage to install the same update but waiting until you're in your window before downloading it. Hopefully that makes sense!
So Scan and Stage can be done at any time and does not require the host to be in maintenance mode
Remediate may require maintenance mode and/or a reboot in accordance to the 'Impact' listed next to the patches or updates you're applying, more often than not you will need maintenance mode and a reboot when remediating hosts.
vM
-----------------------
VCAP-DCD / VCAP-DCA / VCP-CLOUD / VCP-DT / VCP5 / VCP4
-----------------------
vMustard.com
Hi,
staging patches gave me an error at one host. Where can I locate mentioned log files ?
Kind regards,
Roland
#### second start of staging finished successfully, I don't know why ####
Stage patches to entity
myESXi-host.com
The host returns esxupdate
error code:14. There is an
error when resolving
dependencies. Check the
Update Manager log files
and esxupdate log files for
more details.
VSPHERE.LOCAL\Administrator
vcenter-server.com
11.11.2015 14:54:22
11.11.2015 14:54:23
11.11.2015 14:55:27
VUM logs depend on the OS on your VUM server, but if it's 2008 or later will be in C:\ProgramData\VMware\VMware Update Manager\Logs
esxupdate log is in /var/log/esxupdate.log on the host in question....
/var/log/esxupdate.log reports an DependencyError
2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: An esxupdate error exception was caught:
2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: Traceback (most recent call last):
2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: File "/usr/sbin/esxupdate", line 216, in main
2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: cmd.Run()
2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: File "/build/mts/release/bora-1331820/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages
2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: File "/build/mts/release/bora-1331820/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages
2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: File "/build/mts/release/bora-1331820/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages
2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: File "/build/mts/release/bora-1331820/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages
2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: DependencyError: VIB Adaptec_bootbank_arcconf_1.00-1's acceptance level is unsigned, which is not compliant
2015-11-11T14:38:13Z esxupdate: esxupdate: DEBUG: <<<
2015-11-11T14:38:15Z esxupdate: vmware.runcommand: INFO: runcommand called with: args = '['/sbin/esxcfg-advcfg', '-q', '-g', '/UserVars/EsximageNetTimeout']'
2015-11-11T14:38:15Z esxupdate: vmware.runcommand: INFO: runcommand called with: args = '['/sbin/esxcfg-advcfg', '-q', '-g', '/UserVars/EsximageNetRetries']'
2015-11-11T14:38:15Z esxupdate: vmware.runcommand: INFO: runcommand called with: args = '['/sbin/esxcfg-advcfg', '-q', '-g', '/UserVars/EsximageNetRateLimit'
2015-11-11T14:38:15Z esxupdate: esxupdate: INFO: ---
Ah okay, this is due to the acceptance level of the host- I imagine the staging went through okay but it's reporting that the acceptance level of the host is currently 'unsigned' which is flagged up as 'non-compliant' as it introduces a risk to the integrity of the host, essentially means that it doesn't check for signed VIBs on the patches and updates it's installing so it's vulnerable to rogue VIBs.
To check and resolve have a look at this link, though I expect you'd still be able to remediate, I don't think this is a hard limit as opposed to just flagging it up as a risk. You should still look to follow the resolution steps in the link though I advise.
Hope this helps!
vM
-----------------------
VCAP-DCD / VCAP-DCA / VCP-CLOUD / VCP-DT / VCP5 / VCP4
-----------------------
vMustard.com
host says acceptance Level is "PartnerSupported"
# esxcli software acceptance get
PartnerSupported
# esxcli software vib list
Name Version Vendor Acceptance Level Install Date
----------------------------- ------------------------------------ ------- ---------------- ------------
arcconf 1.00-1 Adaptec unknown 2015-03-16
accentance level of the vib which cause the error message is "unknown"
can I set an acceptance level to mentioned vib?
Kind regards,
Roland
in case I want to remove vib it warns that I Need to disable HA first.
esxcli software vib remove
what does this mean?
To check and resolve https://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-751034F...have a look at this link, though I expect you'd still be able to remediate, I don't think this is a hard limit as opposed to just flagging it up as a risk. You should still look to follow the resolution steps in the link though I advise.
I changed host acceptance level to "CommunitySupport" and now staging completed successfully
Ah so it's reporting the vib is unsigned- if it's trying to install the vib you may need to do this manually- either way I think you'll need to drop the acceptance level to CommunitySupported
This post describes doing exactly that, and should help you out!
Thanks
Boom. Good stuff
there are not all patches staged. Are those unstaged patches not necessary?
More than likely, some patches will be superseded by others so VUM is smart enough to spot where this is the case and only installs the latest patches so not all patches in the baseline will need to be installed in most cases.
thank you for your kind help!