Solved: ESXi Hosts difference between Scan for Updates and...

rschmid · ‎11-11-2015

Hello,

I have two ESXi Hosts with around about 700 applicable patches.

What is the difference between "Stage Patches" und "Scan for Updates" ?

Do I need maintenance mode to stage patches?

Kind regards,

Roland

martinriley · ‎11-11-2015

Hi there,

Scan for Updates will scan the hosts against any patch baselines you have attached to them, and report back as to the status of that host against the baseline, so essentially Scan for Updates will tell you which patches and updates from your baseline are missing from the host if returning 'non-compliant', or 'compliant' if all the patches are already installed. It might also return 'Unknown' or 'Incompatible' depending on the state of the host and other factors.

Stage will essentially copy all update and patch files that are to be installed over to the host ready for Remediation, which will actually install the patches. Staging updates does not impact service so you do not need to place the host in maintenance mode whilst staging, the host only needs to be in maintenance mode during Remediation. You can trigger a remediation without staging, but the benefit of staging first is that you will reduce the amount of time your host is out of action because all the patches and updates are already in place pending the final commit, meaning the remediation stage is a lot quicker.

Hope this helps.

vM

-----------------------

VCAP-DCD / VCAP-DCA / VCP-CLOUD / VCP-DT / VCP5 / VCP4

-----------------------

vMustard.com

View solution in original post

martinriley · ‎11-11-2015

Hi there,

Scan for Updates will scan the hosts against any patch baselines you have attached to them, and report back as to the status of that host against the baseline, so essentially Scan for Updates will tell you which patches and updates from your baseline are missing from the host if returning 'non-compliant', or 'compliant' if all the patches are already installed. It might also return 'Unknown' or 'Incompatible' depending on the state of the host and other factors.

Stage will essentially copy all update and patch files that are to be installed over to the host ready for Remediation, which will actually install the patches. Staging updates does not impact service so you do not need to place the host in maintenance mode whilst staging, the host only needs to be in maintenance mode during Remediation. You can trigger a remediation without staging, but the benefit of staging first is that you will reduce the amount of time your host is out of action because all the patches and updates are already in place pending the final commit, meaning the remediation stage is a lot quicker.

Hope this helps.

vM

-----------------------

VCAP-DCD / VCAP-DCA / VCP-CLOUD / VCP-DT / VCP5 / VCP4

-----------------------

vMustard.com

rschmid · ‎11-11-2015

Hi,

thank you for answering.

Some of the listed patches in patch details are marked in the column "Impact" with "Maintenance Mode".

Does this refer to staging or remediate patches?

Kind regards,

Roland

martinriley · ‎11-11-2015

No Problem! The listed 'Impact' for a patch indicates what is required in order to install that particular patch and is only applicable when you remediate- staging updates and patches have no impact to service and will never require you to place a host in maintenance mode, the point of staging is that it saves reduces the downtime required to install patches by making everything local to the host prior to having to take the server offline to install them- It's the equivalent of arranging a fifteen minute outage to install a SQL Server Service Pack for example where you download and copy the update to the server the night before say, compared to arranging an hour outage to install the same update but waiting until you're in your window before downloading it. Hopefully that makes sense!

So Scan and Stage can be done at any time and does not require the host to be in maintenance mode

Remediate may require maintenance mode and/or a reboot in accordance to the 'Impact' listed next to the patches or updates you're applying, more often than not you will need maintenance mode and a reboot when remediating hosts.

vM

-----------------------

VCAP-DCD / VCAP-DCA / VCP-CLOUD / VCP-DT / VCP5 / VCP4

-----------------------

vMustard.com

rschmid · ‎11-11-2015

Hi,

staging patches gave me an error at one host. Where can I locate mentioned log files ?

Kind regards,

Roland

#### second start of staging finished successfully, I don't know why ####

Stage patches to entity

myESXi-host.com

The host returns esxupdate

error code:14. There is an

error when resolving

dependencies. Check the

Update Manager log files

and esxupdate log files for

more details.

VSPHERE.LOCAL\Administrator

vcenter-server.com

11.11.2015 14:54:22

11.11.2015 14:54:23

11.11.2015 14:55:27

martinriley · ‎11-11-2015

VUM logs depend on the OS on your VUM server, but if it's 2008 or later will be in C:\ProgramData\VMware\VMware Update Manager\Logs

esxupdate log is in /var/log/esxupdate.log on the host in question....

rschmid · ‎11-11-2015

/var/log/esxupdate.log reports an DependencyError

2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: An esxupdate error exception was caught:

2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: Traceback (most recent call last):

2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: File "/usr/sbin/esxupdate", line 216, in main

2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: cmd.Run()

2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: File "/build/mts/release/bora-1331820/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages

2015-11-11T14:38:13Z esxupdate: esxupdate: ERROR: DependencyError: VIB Adaptec_bootbank_arcconf_1.00-1's acceptance level is unsigned, which is not compliant

2015-11-11T14:38:13Z esxupdate: esxupdate: DEBUG: <<<

2015-11-11T14:38:15Z esxupdate: vmware.runcommand: INFO: runcommand called with: args = '['/sbin/esxcfg-advcfg', '-q', '-g', '/UserVars/EsximageNetTimeout']'

2015-11-11T14:38:15Z esxupdate: vmware.runcommand: INFO: runcommand called with: args = '['/sbin/esxcfg-advcfg', '-q', '-g', '/UserVars/EsximageNetRetries']'

2015-11-11T14:38:15Z esxupdate: vmware.runcommand: INFO: runcommand called with: args = '['/sbin/esxcfg-advcfg', '-q', '-g', '/UserVars/EsximageNetRateLimit'

2015-11-11T14:38:15Z esxupdate: esxupdate: INFO: ---

martinriley · ‎11-11-2015

Ah okay, this is due to the acceptance level of the host- I imagine the staging went through okay but it's reporting that the acceptance level of the host is currently 'unsigned' which is flagged up as 'non-compliant' as it introduces a risk to the integrity of the host, essentially means that it doesn't check for signed VIBs on the patches and updates it's installing so it's vulnerable to rogue VIBs.

To check and resolve have a look at this link, though I expect you'd still be able to remediate, I don't think this is a hard limit as opposed to just flagging it up as a risk. You should still look to follow the resolution steps in the link though I advise.

Hope this helps!

vM

-----------------------

VCAP-DCD / VCAP-DCA / VCP-CLOUD / VCP-DT / VCP5 / VCP4

-----------------------

vMustard.com

rschmid · ‎11-11-2015

host says acceptance Level is "PartnerSupported"

# esxcli software acceptance get

PartnerSupported

# esxcli software vib list

Name Version Vendor Acceptance Level Install Date

----------------------------- ------------------------------------ ------- ---------------- ------------

arcconf 1.00-1 Adaptec unknown 2015-03-16

accentance level of the vib which cause the error message is "unknown"

can I set an acceptance level to mentioned vib?

Kind regards,

Roland

rschmid · ‎11-11-2015

in case I want to remove vib it warns that I Need to disable HA first.

esxcli software vib remove

what does this mean?

rschmid · ‎11-11-2015

To check and resolve https://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-751034F...have a look at this link, though I expect you'd still be able to remediate, I don't think this is a hard limit as opposed to just flagging it up as a risk. You should still look to follow the resolution steps in the link though I advise.

I changed host acceptance level to "CommunitySupport" and now staging completed successfully

martinriley · ‎11-11-2015

Ah so it's reporting the vib is unsigned- if it's trying to install the vib you may need to do this manually- either way I think you'll need to drop the acceptance level to CommunitySupported

This post describes doing exactly that, and should help you out!

Thanks

martinriley · ‎11-11-2015

Boom. Good stuff

rschmid · ‎11-11-2015

there are not all patches staged. Are those unstaged patches not necessary?

martinriley · ‎11-11-2015

More than likely, some patches will be superseded by others so VUM is smart enough to spot where this is the case and only installs the latest patches so not all patches in the baseline will need to be installed in most cases.

rschmid · ‎11-11-2015

thank you for your kind help!

All

ESXi Hosts difference between Scan for Updates and Stage Patches