Probably asked a thousand times, however, I have 25 ESX updates pending. What is the best practice - only install those patches specific to your hardware ie Blades HS20 OR load up the lot?
Thanks.
Check out this thread for some options to automate things.
http://www.vmware.com/community/message.jspa?messageID=620290#620290
Check out this thread for some options to automate things.
http://www.vmware.com/community/message.jspa?messageID=620290#620290
The best practice is to only load the patches that apply to your environment. So if the patch applies to an AMD processor and you have a Intel do not apply it. Why risk putting a patch on your system if it does not apply.
http://www.vmware.com/community/thread.jspa?messageID=616709򖤅
Patch links:
Patch Management for ESX Server 3 - http://www.vmware.com/pdf/esx3_esxupdate.pdf
Download - http://www.vmware.com/download/vi/index.html
ESX patches - http://www.vmware.com/download/vi/vi3_patches.html#c4310
Virtual Center 2.0.1 Patch2 - http://www.vmware.com/support/vi3/doc/vc-201-200702-patch.html
Autopatching ESX host - http://virtrix.blogspot.com/2007/03/vmware-autopatching-your-esx-host.html
Patching and updating Vmware ESX Server 3 - http://download3.vmware.com/vmworld/2006/tac9858.pdf
Automated download of ESX patches - http://www.vmware.com/community/thread.jspa?messageID=600341
Patch Script: - http://www.vmprofessional.com/material/esx-autopatch.pl
Pre-compiled patchlist.txt - http://www.vmprofessional.com/material/3.0.1/patchlist.txt and http://www.vmprofessional.com/material/3.0.0/patchlist.txt
I agree that you should only put patches on that apply to your environment.
Here is a guide to patch automation to:
http://virtrix.blogspot.com/2007/03/vmware-autopatching-your-esx-host.html
My only question is the issue regarding whether or not to apply all patches or just the one's necessary to your environment. I have been told several times by VMWare Support to go ahead and apply all patches. Here's there reasoning.
For the scenario of adding new equipment, if you had that new piece hardware you would have to patch (in chrono order)to the necessary update for that new piece of equipment.
For the scenario of mixed environment...if you have multiple pieces of hardware, loss of patch order or incorrect order of patching.
I currently patch from iis...tried nfs but did not like it. It's real easy to patch once you get the hang of it.
I just take the mind set to apply all patches...if there is an vulnerability in a patch and you didnt patch it regardless if it pertains particularly to your environment...you have your bases covered.
To each there own
Agreed, to each there own. I could see maybe if the patch had to do with a certain network or FC card that you potentially could be adding to the server at a later date. But for patches that have to do with specfic processors I would not bother with, there is no chance of someone adding a AMD processor into a Intel server. I'm always worried a patch will potentially break something else.
Have been trying to use ./esx-autopatch.pl but having problems downloading the patchlist file. Have tried using both http and ftp with the same error;
could not open file:
./patchlist.txt.
Any ideas or come across this before...?
Do you have a copy of the script you are running?
Look at my links a couple posts up...
I'm sorry I was speaking to andrew pheonix. He was having problems.
Message was edited by:
derekn
Yes,
I am using the same script published to this thread above, and patchlist also from the links above for ESX v3.0.1. Initially I had problems as characters <> && etc... where being transformed, but got around this. I know the script runs as it creates the updates folder in /var/ it just gets stuck on;
ftp: it logs into ftp host and traverses to the 3.0.1 directory
$ftp->get('patchlist.txt');
http: I believe it is connecting to the http service but can't guarantee it
getstore ("$url/$version/patchlist.txt",'./patchlist.txt');
______________________________________________________
\# Download The patchlist.txt for the matching version number
if ( $ftp ){
$ftp = Net::FTP->new($ftp_host);
print "Logging in to host $ftp_host\n";
$ftp->login($ftp_user,$ftp_password) or die "Could not establish FTP connection with $ftp_host\n";
print "Changing directory to $version\n";
$ftp->cwd($version);
$ftp->binary;
$ftp->get('patchlist.txt');
}
if ( $http ){
if ( !defined $url ){
die "No url specified either on the command line or in the script... exiting\n";
}
print "Downloading updates from $url/$version\n";
getstore ("$url/$version/patchlist.txt",'./patchlist.txt');
}
Are you opening service console firewall for the ports ftp and http? It might be that.
I can access the ftp site without any problems from the command line of esx. However I have discovered that I didn't have access to the 3.0.1 sub-folder, all sorted now. Although my next problem is that the MD5SUM generated by the script is not matching those defined in the patchlist.