Yeah, I saw that in the notes, that's why I gave it a long, long time to update... but those log entries seemed to indicate something was broken, the way they repeated almost the entire time after I initiated the update.  I did find that my VEEAM instance kicked on for some jobs, and though maybe that was causing the issue (as it uses vcenter to stage / manage the VMs during backups), so I shut it down, rolled back to 5.1 (snapshots are awesome), and am now trying again.

Nah... same errors... I'll just see if it just takes a very long time... all centers around vami-sfcb not "coming up" in this script.

And... it finally finished, whopping 1.5 hours...

I ran the update and it took about 45 minutes. Quite annoying

André

The issue is that the new openssl libraries do not match the (not updated?) hash files which are older:

-r-xr-xr-x 1 root root 1685176 Jul 10  2012 /usr/lib64/libcrypto.so.0.9.8
-r-xr-xr-x 1 root root  343040 Jul 10  2012 /usr/lib64/libssl.so.0.9.8

-rw-r--r-- 1 root root      65 Jan 11  2012 /usr/lib64/.libcrypto.so.0.9.8.hmac
-rw-r--r-- 1 root root      65 Jan 11  2012 /usr/lib64/.libssl.so.0.9.8.hmac

Once you delete (or move) the .hmac files OpenSSL will work fine again, just without the FIPS stuff (I doubt anyone really needs this anyway...). Most likely it is sufficient to delete the .hmac files before running the update from the GUI.

@VMware: I consider this to be a serious bug.

If you run into this AFTER trying to update the appliance, you'll have more trouble waiting even if SSL works again.

If the update did not finish or was interrupted during the long wait time, the postinstall script was not run. Most likely the vpxd will not start with the error message

     "Database version id '510' is incompatible with this release of VirtualCenter."

This will also break any attempt to re-install the update, which will result in a "Failed to install updates`(Error while running installation tests)".

Try the following:

- SSH to the appliance

- cd /usr/local/tcserver/vfabric-tc-server-standard/

- check if more than one subdirectory tomcat-6.x and tomcat-7.x exists.

  - if yes, de-install the older version of vfabric-tc-server:

    rpm -q vfabric-tc-server-standard

    rpm -e vfabric-tc-server-standard-2.6.4-1 (in my case)

  The reason is that otherwise /usr/lib/vmware-vpx/rpmpatches.sh will fail since some "ls .... | grep ..." statements do not properly check if ls returned more than one result... #bug

- cd /opt/vmware/var/lib/vami/update/data/job/

- cd into the latest subdirectory, which should have the higest number

- run the postinstall script:

  ./post_install '5.1.0.5300' '5.1.0.10000' 0 (the first one is the old build number, in my case for 5.1.0b)

  Ignore any errors.

- update the manifest

  ./manifest_update

- reboot the appliance

I hope I did not forget any steps I did during the troubleshooting, otherwise let me know in which problems you run, and I'll try to remember. 😉

This worked for me and saved the vCenter data(base) with the whole configuration.

Oh, and in case you're running the appliance in a home lab don't forget to change the config files to reduce the memory requirements. 😉 Some of them have been overwritten by the update.

http://www.vaspects.com/2013/04/24/minimizing-vcenter-memory-appliance/

Cheers,

Martin

Martin, thanks for the advise, it helped getting Vcenter up running 🙂

Q1:

However I do worry what state my Vcenter is in now .... should I assume that I can apply the next patch for Vcenter after following your recipe ?

Q2:

Would you recommend following the advise from Davi-jvs in this thread about manually installing openssl from the iso after I have followed your recipe, and maybe get FIPS back (dont know if I need it, but I am sure it is there for a reason) ?

Q3:

And after the last reboot, I still have 2 tomcat folders in /usr/local/tcserver/vfabric-tc-server-standard/

tomcat-6.0.36.A.RELEASE

tomcat-7.0.32.B.RELEASE

Should I attempt to do something about this ?

Thanks in advance

Carsten

Hi Carsten!

Thanks, good to know. 🙂

Q1: Well, after all this manual changes I would not consider the appliance to be in a stable state. If it was a production environment I would migrate the appliance to a fresh installation NOW (on the other hand: in production I would have had a snapshot or backup anyway...). In my test environment I plan to give the update a shot, just to see what happens. But afterwards I will migrate. Until that I just leave the appliance running, had no issues yet.

Q2: Depends. If the update finished (i.e. was interrupted during this ridiculous >1 hour wait time) the libraries are most likely already updated. Check with "rpm -qa | grep openss" in a SSH session on your vcenter appliance. On my system it looks like this:

openssl-0.9.8j-0.26.1

openssl-certs-0.9.8h-27.3.1

openssl-0.9.8j-0.44.1

openssl-certs-1.85-0.6.1

openssh-5.1p1-41.55.1

libopenssl0_9_8-0.9.8j-0.26.1

openssh-5.1p1-41.51.1

libopenssl0_9_8-0.9.8j-0.44.1

Which means everything has been updated to the versions in the updaterepo, and you cannot use Davi-jvs' advice - you'll only get "already installed" if trying.

@all: how's the list on an appliance after a successful update? Are the older versions of the packages removed?

I doubt FIPS is an issue, I would just leave it as it is. The hash files were included in libopenssl0_9_8-0.9.8j-0.26.1, they are no longer included in 0.44.1, so I suppose the FIPS support has been dropped anyway. I played around a bit and regenerate the hashes:

/usr/bin/fips_standalone_sha1 /usr/lib64/libcrypto.so.0.9.8 > /usr/lib64/.libcrypto.so.0.9.8.hmac

/usr/bin/fips_standalone_sha1 /usr/lib64/libssl.so.0.9.8 > /usr/lib64/.libssl.so.0.9.8.hmac

chmod 644 /usr/lib64/.libcrypto.so.0.9.8.hmac /usr/lib64/.libssl.so.0.9.8.hmac

The system boots up fine, otherwise no noticable change. Anyone from #VMware on this?

Q3: Nope, that's fine, don't change anything. Both versions are installed by the vfabric-tc-server-standard-2.8.1-1 package. The problem was caused by the older version still installed, so that there were TWO directories for 6.0.x and TWO for 7.0.x. That broke the script.

Cheers,

Martin