VMware Cloud Community
Svedja
Enthusiast
Enthusiast
‎07-24-2020 03:43 AM
Jump to solution

Patching vSphere 7 lifecycle manager cluster images?

Can anyone explain how patching vSphere 7 LCM cluster image is done?

I understand how you set up the first image, add the addons etc..

But using baselines, you get patches regulary monthy or more often, while the ISO-updates used for images are released only when Vmware release a new minor update version, maybe every third month.

If you use a OEM ISO image from certain manufacturers that delay is even longer, maybe two-three months longer on top of that.

Basicly two questions comes out of that:

* How are the LCM cluster image "patched" when Vmware release the patches, similar to baselane updates?

* Should the base image be Vmware ESX image only, or OEM ESXi image (kind of defeating the Vendor Addon part of LCM)?

0 Kudos
1 Solution

Accepted Solutions
Svedja
Enthusiast
Enthusiast
‎07-31-2020 01:28 PM
Jump to solution

Ok, I finally did the experiment myself to see what happends when using LCM Images and updates that are not applied.

I set up a ESXi 7.0GA ESX and checked number of missing patches according to baselines : 23 patches, including 6 critical and 3 security

So I switched to LCM Image and it prompted that baselines will be disabled for that cluster and cannot be reverted.

I selected ESXi 7.0GA as "ESXi Version" in LCM during image setup.

When the LCM Image setup was done, it claimed that my cluster was compliant.

So the 23 missing patches were ignored, good luck with your security while awaiting for the next ESXi image to be released.

While I do understand "desired state" thing and everything feels "this is the way to go", my opinion is that Vmware has missed a critical point in the "day 2" operations as the next security patch has to await next ESXi base image release instead of being incorporated immediately by LCM.

View solution in original post

7 Replies
harry89
Enthusiast
Enthusiast
‎07-24-2020 07:48 AM
Jump to solution

Hey

On checking for recommended images on cluster level on demand ,when you view the recommended images on LCM you see the below three options

•Current Image: The image specification that is running on the cluster.

•Latest in Current Series: If available, a later version within the same release series appears. For example, if the cluster is running v Sphere 7.0 and vSphere 7.1 is released, an image based on v Sphere 7.1 appears.

•Latest and Greatest: If available, a later version in a later major release. For example, if the cluster is running v Sphere 7.0 or 7.1 and v Sphere 8.0 is released, an image based on v Sphere 8.0 appears.

Queries related to baseline and images for base image and OEM image

vSphere Lifecycle Manager Images

Baselines and Images: What is the Difference?

Cheers!

Harry
VCIX-DCV6.5 ,VCIX-NV6 , VCAP-CMA7
Mark answer as correct/helpful if it solves your query
0 Kudos
Svedja
Enthusiast
Enthusiast
‎07-24-2020 08:17 AM
Jump to solution

Sure, that works for any new image release, but I worry about any urgent patches released between two "dot" releases.

Say I have 7.0.0b installed and they find a problem of Meltdown/Spectre magnitude.

With baselines, the patch would be available as soon as Vmware has a patch available for download.

With LCM Image it sounds like we have to wait for next "dot" release of ESXi, which could be weeks or months away.

That is what is something I have been trying to find out.

0 Kudos
Svedja
Enthusiast
Enthusiast
‎07-24-2020 08:20 AM
Jump to solution

Of course a "custom image" could be built for the realy realy urgen fixes, but is sound much harder and errorprone than remediating with baselines.

0 Kudos
harry89
Enthusiast
Enthusiast
‎07-24-2020 08:37 AM
Jump to solution

hope this helps

vSphere 7 - Lifecycle Management - VMware vSphere Blog

vSphere Lifecycle Manager handles host patches in the following ways:

  • If a patch in a patch baseline requires the installation of another patch, vSphere Lifecycle Manager detects the prerequisite in thedepot and installs it together with the selected patch.
  • If a patch is in a conflict with other patches that are installed on the host, the conflicting patch might not be staged or installed. However, if another patch in the baseline resolves the conflicts, the conflicting patch is installed. For example, consider a baseline that contains patch A and patch C, and patch A conflicts with patch B, which is already installed on the host. If patch C obsoletes patch B, and patch C is not in a conflict with patch A, the remediation process installs patches A and C.
  • If a patch is in a conflict with the patches in the vSphere Lifecycle Manager depot and is not in a conflict with the host, after a compliance check, vSphere Lifecycle Manager reports this patch as a conflicting one. You can stage and apply the patch to the host.
  • When multiple versions of the same patch are selected, vSphere Lifecycle Manager installs the latest version and skips installing the earlier versions.
Harry
VCIX-DCV6.5 ,VCIX-NV6 , VCAP-CMA7
Mark answer as correct/helpful if it solves your query
0 Kudos
Techie01
Hot Shot
Hot Shot
‎07-27-2020 02:20 AM
Jump to solution

This is not correct. Every ESXi patch include patches for both VUM baseline and LCM Image. As seen,  7.0b and 7.0bs release has both VUM and LCM image

0 Kudos
Svedja
Enthusiast
Enthusiast
‎07-31-2020 01:28 PM
Jump to solution

Ok, I finally did the experiment myself to see what happends when using LCM Images and updates that are not applied.

I set up a ESXi 7.0GA ESX and checked number of missing patches according to baselines : 23 patches, including 6 critical and 3 security

So I switched to LCM Image and it prompted that baselines will be disabled for that cluster and cannot be reverted.

I selected ESXi 7.0GA as "ESXi Version" in LCM during image setup.

When the LCM Image setup was done, it claimed that my cluster was compliant.

So the 23 missing patches were ignored, good luck with your security while awaiting for the next ESXi image to be released.

While I do understand "desired state" thing and everything feels "this is the way to go", my opinion is that Vmware has missed a critical point in the "day 2" operations as the next security patch has to await next ESXi base image release instead of being incorporated immediately by LCM.

scott28tt
VMware Employee
VMware Employee
‎07-31-2020 01:46 PM
Jump to solution

Moderator: Thread moved to the Update Manager area.


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos