Using Auto-Deploy as part of Vulnerability Management
Our security team are all over us around patching of ESXi 6.x hosts. We are a small team (2 people) with 45 ESXi hosts to manage. Worse still, some clusters only have 1 hosts due to guest software licensing restrictions (oracle!). Regardless, we have to patch the hosts. Now, we could use the 'normal' methodology:
Use VUM to evacuate VMs, patch and reboot hosts. If issues, roll back patches
So this seems time consuming to me for 2 reasons:
time taken need to reboot
time taken to back out patch if need be
I guess I could script up the whole thing using VCO but again, time I don't have ....
So, one other technology that caught my eye was auto-deploy. I was thinking it might be possible to do the following:
patch an offline image with patches
auto-deploy image to ESXi hosts
Rollback simply boot from old image
Anyone doing something similar or see any blockers here?