andvm
Hot Shot
Hot Shot

Keep vSAN Cluster updated

Jump to solution

Hi,

Just looking for the best recommended approach to update a production vSAN Cluster:

  • A Cluster is built from vendor custom ESXi image such as Dell.
  • A vSAN Cluster has a recommended baseline that is automatically attached to it. (Assume this gets updated automatically also)
  • More over there are Host Security and Critical Patches baselines that are also attached it.

What is the process of updating the Cluster?

I am referring specifically to the ESXi version, we can skip the step about verifying HCL as aware of that.

Should I stick to what the Baseline Group vSAN Cluster states and remediate the Cluster and stop there. (After all this is probably why there is this baseline to just stick to it as it will be well tested)

OR

Should I also apply Host Security and Critical Patches? If so, should I just tick both checkboxes to apply latest patches or should I create a more specific baseline for each with just the required rollup update/patch?

 

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Tibmeister
Expert
Expert

So the recommendation is to use Image Based patching for vLCM.  When using baselines, the baseline will update at some point with new ESXi versions.  Remember, vSAN is part of vmkernel, but not always patched or updated with every ESXi update.

Patching really doesn't change in regards to when and what, always, within reason and your own policies, keep your systems up to date.  

You don't mention if you have stretched or 2-node clusters.  If so, there's some added steps with the whole witness appliance.

View solution in original post

0 Kudos
11 Replies
Tibmeister
Expert
Expert

So the recommendation is to use Image Based patching for vLCM.  When using baselines, the baseline will update at some point with new ESXi versions.  Remember, vSAN is part of vmkernel, but not always patched or updated with every ESXi update.

Patching really doesn't change in regards to when and what, always, within reason and your own policies, keep your systems up to date.  

You don't mention if you have stretched or 2-node clusters.  If so, there's some added steps with the whole witness appliance.

0 Kudos
andvm
Hot Shot
Hot Shot

Just a standard vSAN cluster (no stretched or 2 node)

ok so far I am keeping compliance with the vSAN recommended Baseline and not applying the Security and Critical Updates.

I will try to find out more about vLCM, I am used to apply vendor bootable ISO for firmware and then apply vendor Custom ESXi image on top of it. So not sure how this process will change with vLCM as I find the vendor firmware ISO handy to apply all firmware updates at once.

0 Kudos
Tibmeister
Expert
Expert

vLCM in vSphere 7.x definitely makes that easier if you have vendor integration tools.  For me, we're a Dell shop, so Open Manage Integration for VMware vSphere (OMIVV) take the guesswork of firmware out of the equation, and using Single Image on vLCM, the drivers are take care of as well.

I would still apply the Security and Critical updates from a reliability and security standpoint, won't hurt anything, just review the Release Notes.

0 Kudos
andvm
Hot Shot
Hot Shot

So this is what I understood:

vSAN recommended basline is updated but not immediately when there are Critical/Security updates. (Guess this delay is for ensuring proper testing and vSAN Cluster stability)

To update immediately one needs to create a new Baseline that includes the respective Rolling Update and apply to the Cluster (on top of the recommended vSAN cluster baseline)

I could not find any related Best Practices documentation for Updating a vSAN Cluster that covers the above points.

OMIVV: will check requirements/costs etc...

0 Kudos
Tibmeister
Expert
Expert

Yeah, the best practices don't exist unfortunately, I really wish they did.  The general guidance is to follow "standard" policies.

0 Kudos
andvm
Hot Shot
Hot Shot

Yes sometimes you enter a loop as in "standard polices" say follow vendor best practices - thanks for confirming and appreciate your input.

0 Kudos
TheBobkin
VMware Employee
VMware Employee

@andvm, Just a brief point from recent discussions with my colleagues - the vSAN baselines have not been updated in *quite* a while, these are scheduled to be updated in the next few days.

0 Kudos
andvm
Hot Shot
Hot Shot

Noted, so far I am remediating with existing vSAN Cluster recommended baseline after applying latest ESXi 7.0.2 Custom Dell Image.

I will check back in a few weeks time for an updated baseline and remediate accordingly.

andvm_0-1646287122613.png

 

0 Kudos
Tibmeister
Expert
Expert

So I did notice on my clusters that still use baselines, the vSAN Recommendation Baseline did update, but due to the bugs with ESXi 7.0 U3 in the past, you cannot use a patch baseline to update, so this default baseline is actually worthless.  The good side is you know VMware and Dell has "blessed" ESXi 7.0 U3c for vSAN. 

0 Kudos
andvm
Hot Shot
Hot Shot

FYI - I installed latest vendor ESXi Image for ESXi 7.0U3 and applied vSAN Baseline which yes looks to have been updated now as includes patches ESXi70U3d-19482537

andvm_0-1649673162527.png

 

0 Kudos
andvm
Hot Shot
Hot Shot

@TheBobkin @Tibmeister 

so vSAN recommended baseline remains on ESXi70U3d-19482537

Under Lifecycle Manager and Updates I see ESXi70U3e-19898904 and ESXi70U3f-20036589 (and ESXi70U3sf-20036586 - not sure about the s meaning?)

Should I (I mean is it safe and recommended) patch vSAN clusters with ESXi70U3f-20036589 (on top of vendor custom ESXI) or the fact that they are not included in the vSAN recommended baseline means they need to undergo testing for vSAN Clusters by VMware and thus I should wait?

 

Thanks

 

0 Kudos