Update Manager- Questions- Patch Release Cycle? Ho...

paulie13 · ‎04-18-2012

Hi everybody, I'm trying to search on vmware and on the web some information regarding best practice using Update Manager in vSphere 4.1. I found white papers regarding how to patch, why we need to patch, etc. I'm looking for answers that I'm not getting, hoping you guys can help:

1. Does VMware have a scheduled patch cycle? When do they release patches, monthly, quarterly, or on a "as needed" basis?

2. My environment is over 300 hosts and 2000 VM's. I'm looking for best practice on how to patch my environment. Currently we patch quaterly but sec ops is making us patch when the patches come out. As I'm sure you can figure out, patching every time a new patch comes out can become tedious and time consuming. We would be in a constant patching cycle.

3. Does anybody have anything document or link wise that may help me?

4. I'm open to suggestions or hearing about similiar environments if you can relate.

Thanks,

Paulie13

Pikee99 · ‎06-18-2012

To answer question your question

Critical

VMware will begin work on a fix or corrective action immediately. VMware will provide the fix or corrective action to customers in the shortest commercially reasonable time.

Important

VMware will deliver a fix with the next planned maintenance or update release of the product and where relevant, VMware will release the fix in the form of a patch.

Moderate, Low

VMware will deliver a fix with the next planned minor or major release of the product.

So the answer is, "it depends on the type of patch"

I suggest you sit down with your security team and discuss this with them. It is not realistic to patch the entire environment "everytime" a patch is released. There are criterias that you should analyze. What kind of patch is it? If it's critical, does it pertain to us? That is why they put the descriptions in the patches. If you have a 'critical" update that fixes a major bug in a Qlogic driver and you're using Emulex HBAs in all your hosts, then pushing that patch is just a waste of time and effort. You must also consider there is risk in patching (bugs in the code, conflicts with other driver/components). You must mitigate the risk by only patching when needed. Mention this to your security team! (do you remeber the patch that caused the license expiration fiasco in ESX 3.x)

The way we do it is we create 2 cycles, one for critical updates (we verify and patch bi-monthly if needed) and one for the rest (once every six months, again, if the pertain to us.)

Honestly our environement is must smaller than yours, we are currently at 50 Hosts with about 630 VMs. We adhere to the following process:

for patching: Identify (patch identification, new patch available) -> Review (collect and review available patches) -> Assess (patch assessment and analysis) -> Test and Evaluate (Patch testing and evaluation in a non-production, but similar environment) -> Deploy (implement in production

Regards,

Rick

=============== Riccardo Ventura Twitter: @Hypervise Linked in: http://ca.linkedin.com/pub/riccardo-ventura/4/b5/827 My Blog: http://hypervise.wordpress.com

Tarunkumar · ‎08-22-2012

There is no such Patch Release cycle as Microsoft has for its operating systems in VMware. You can check continously in Update Manager for any recent patch release and can apply them according to there advisory released from VMware. Don't apply all patches released by VMware, only apply the patches which will provide any fix or resolution of the issues within your infrastructure.

The best possible way is to reach to VMware itself for any critical or Major issues exist within there infrastructure. As VMware will first test that patch within there labs creating the same infrastructure as you have and will analyse the impact of that patch in your infrastructure.

All