Can anyone explain how patching vSphere 7 LCM cluster image is done?
I understand how you set up the first image, add the addons etc..
But using baselines, you get patches regulary monthy or more often, while the ISO-updates used for images are released only when Vmware release a new minor update version, maybe every third month.
If you use a OEM ISO image from certain manufacturers that delay is even longer, maybe two-three months longer on top of that.
Basicly two questions comes out of that:
* How are the LCM cluster image "patched" when Vmware release the patches, similar to baselane updates?
* Should the base image be Vmware ESX image only, or OEM ESXi image (kind of defeating the Vendor Addon part of LCM)?
Ok, I finally did the experiment myself to see what happends when using LCM Images and updates that are not applied.
I set up a ESXi 7.0GA ESX and checked number of missing patches according to baselines : 23 patches, including 6 critical and 3 security
So I switched to LCM Image and it prompted that baselines will be disabled for that cluster and cannot be reverted.
I selected ESXi 7.0GA as "ESXi Version" in LCM during image setup.
When the LCM Image setup was done, it claimed that my cluster was compliant.
So the 23 missing patches were ignored, good luck with your security while awaiting for the next ESXi image to be released.
While I do understand "desired state" thing and everything feels "this is the way to go", my opinion is that Vmware has missed a critical point in the "day 2" operations as the next security patch has to await next ESXi base image release instead of being incorporated immediately by LCM.
Hey
On checking for recommended images on cluster level on demand ,when you view the recommended images on LCM you see the below three options
•Current Image: The image specification that is running on the cluster.
•Latest in Current Series: If available, a later version within the same release series appears. For example, if the cluster is running v Sphere 7.0 and vSphere 7.1 is released, an image based on v Sphere 7.1 appears.
•Latest and Greatest: If available, a later version in a later major release. For example, if the cluster is running v Sphere 7.0 or 7.1 and v Sphere 8.0 is released, an image based on v Sphere 8.0 appears.
Queries related to baseline and images for base image and OEM image
vSphere Lifecycle Manager Images
Baselines and Images: What is the Difference?
Cheers!
Sure, that works for any new image release, but I worry about any urgent patches released between two "dot" releases.
Say I have 7.0.0b installed and they find a problem of Meltdown/Spectre magnitude.
With baselines, the patch would be available as soon as Vmware has a patch available for download.
With LCM Image it sounds like we have to wait for next "dot" release of ESXi, which could be weeks or months away.
That is what is something I have been trying to find out.
Of course a "custom image" could be built for the realy realy urgen fixes, but is sound much harder and errorprone than remediating with baselines.
hope this helps
vSphere 7 - Lifecycle Management - VMware vSphere Blog
vSphere Lifecycle Manager handles host patches in the following ways:
This is not correct. Every ESXi patch include patches for both VUM baseline and LCM Image. As seen, 7.0b and 7.0bs release has both VUM and LCM image
Ok, I finally did the experiment myself to see what happends when using LCM Images and updates that are not applied.
I set up a ESXi 7.0GA ESX and checked number of missing patches according to baselines : 23 patches, including 6 critical and 3 security
So I switched to LCM Image and it prompted that baselines will be disabled for that cluster and cannot be reverted.
I selected ESXi 7.0GA as "ESXi Version" in LCM during image setup.
When the LCM Image setup was done, it claimed that my cluster was compliant.
So the 23 missing patches were ignored, good luck with your security while awaiting for the next ESXi image to be released.
While I do understand "desired state" thing and everything feels "this is the way to go", my opinion is that Vmware has missed a critical point in the "day 2" operations as the next security patch has to await next ESXi base image release instead of being incorporated immediately by LCM.
Moderator: Thread moved to the Update Manager area.