5.1 upgrade and patch for Heartbleed

stanj · ‎05-13-2014

I am running ESXi 5.1 build 1065491 and vCenter 5.1.

I am upgrading to 5.5.

My plan was to upgrade to ESXi 5.5 U1 (build 1623387).

Then, apply the HeartBleed patch 201404001.

However, I see there is a ESXiU1-Rollup_2 patch, but the instruction say it cannot be used for an upgrade and only for new installs.

If that is the case, how do you get the Rollup2 driver updates for a newly updated ESXi 5.5 U1?

thanks

vThinkBeyondVM · ‎05-13-2014

Hi Friend,

As per below KB, it seems you even can go for below path

VMware ESXi 5.5, Patch Release ESXi550-201404001

Apply this patch on ESXi 5.5 hosts to resolve all issues fixed in ESXi 5.5 Update 1, and additionally the OpenSSL Heartbleed issue.

VMware KB: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160

You will another option as well in above KB

On your query, can you please point me to the KB that you are referring to?

For VC 5.1, you can directly go for upgrading VC 55U1a.

vCenter Server 5.5 Update 1a Release Notes

----------------------------------------------------------------
Thanks & Regards
Vikas, VCP70, MCTS on AD, SCJP6.0, VCF, vSphere with Tanzu specialist.
https://vThinkBeyondVM.com/about
-----------------------------------------------------------------
Disclaimer: Any views or opinions expressed here are strictly my own. I am solely responsible for all content published here. Content published here is not read, reviewed or approved in advance by VMware and does not necessarily represent or reflect the views or opinions of VMware.

stanj · ‎05-13-2014

hi,

It appears Patch Release ESXi550-201404001 is to be used if your are on ESXi 5.5.

I am currently running 5.1 so i have to update to 5.5 using VMware-VMvisor-Installer-5.5.0.update01-1623387.x86_64.iso

That was found in this blog.

http://blogs.vmware.com/kb/2014/04/patching-esxi-5-5-heartbleed-without-installing-update-1.html

The info about the roll-up is in the README - ESX5.5U1-SuperISO-2-README.pdf

Important: The ESXi 5.5.1 Driver Rollup 2 is designed for fresh installations of ESXi hosts.

VMware does not support using the ESXi 5.5.1 Driver Rollup 2 to upgrade an existing ESXi installation.

The pdf can be found at the below link

http://www.tinkertry.com/vmware-esxi-5-5-update-1-driver-rollup-2-released-apr-24-2014/

So, I am not sure how the driver Rollup2 updates are applied.

a_p_ · ‎05-13-2014

Do you need any of the drivers from the rollup (driver version can be found in the readme for the Rollup image)? Unless that's the case, you may proceed with the steps you mentioned.

If driver updates are required, download the individual drivers manually from the VMware drivers download page and apply them manually or via Update Manager after upgrading the host to the latest patch bundle

André

stanj · ‎05-13-2014

The reason I ask about the drivers ..

When I installed ESXi 5.1 on the Dell PE R510, it failed with I think was a driver issue.

I had to download a special ESXi Image from the Dell Web Site.

I am hoping this is corrected in ESXi 5.5? and,

when applying the patch for HeartBleed, I will use excli "update" instead of "install"

Stan

a_p_ · ‎05-13-2014

VMware does integrate all individual drivers in their image, that's why vendors offer OEM images for their specific hardware. You may want to consider to use the DELL image "VMware ESXi 5.5 Dell Version: A04, Build# 1746974" (which already contains the Heartbleed patches) from Driver Details | Dell US for the upgrade.

André

stanj · ‎05-13-2014

Thanks

That is a better option..

Then, no need then to use esxcli to patch ESXi even though I moved the zip to the datastore:smileygrin:

a_p_ · ‎05-13-2014

Yes and no. No need to apply the patch to resolve the Heartbleed issue. However, according to the build number DELL offers version 5.5.0c , i.e. the build without Update 1a. Maybe due to the NFS issue in Update 1!? If you want to patch the host to Update 1a you may apply patch "ESXi550-201404001" after the upgrade. I'd recommend you run esxcli with the "update" option as well as with "--dry-run" to see whether which vibs will be replaces.

André

stanj · ‎05-13-2014

I have ESXi550-201404001.zip on the datastore.

I was going with the below cmd:

esxcli software vib update -d "/vmfs/volumes/50851ccb-d83b2e2e-e82f-782bcb47bf37/ISOs/ESXi550-201404001.zip"

what will I be able to tell about vibs being replaced?

i am not sure i would know right from wrong :smileyconfused:

a_p_ · ‎05-13-2014

Just add "--dry-run" to the command line to simulate what the command would do.

esxcli software vib update -d "/vmfs/volumes/50851ccb-d83b2e2e-e82f-782bcb47bf37/ISOs/ESXi550-201404001.zip" --dry-run

André

stanj · ‎05-14-2014

ok, using dry-run,,

is this more to see if there are errors vs seeing what is actually be updated?

a_p_ · ‎05-14-2014

It will just show you which vibs will be added/removed and which stay the same.

André

stanj · ‎06-02-2014

a new security announcement came out last week for ESXi 5.5 (note: for ESXi 5.5 without patch ESXi550-201403102-SG)

Is the above patch included in the HeartBLeed patch or the Update 1a?

I upgraded to 5.5 from 5.1 and applied the patch for HearBleed and am at ESXi build 1746018 and am wondering if this new patch needs applied.

Based on the build number of 1746018 I would think it id included?

thanks

a_p_ · ‎06-02-2014

According to KB 2065827, ESXi550-201403102-SG is a security patch for VMware Tools included in the Update 1 bundle. The latest Heartbleed patch includes/replaces the VMware Tools .vib, so you should be ok. (see ESXi 5.x Patch Matrix)

André

stanj · ‎06-02-2014

ok thanks

i moved onto the vCenter 5.1 to 5.5 upgrade,

but ran into http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=206051...

I tried 3 times and stll get the error - Simple Insall Setup Wizard ended prematurely.

The vCenter is in a work group, but I would not think this should matter if I have the DNS set and FQDN.

All

5.1 upgrade and patch for Heartbleed