host lifecycle for publication update manager, vmworld 2017€¦ · host lifecycle management...

Eric Gray

SER1963BE

#VMworld #SER1963BE

Technical Overview of VMware ESXiHost Lifecycle Management with Update Manager, Auto Deploy, and Host Profiles

@eric_gray

VMworld 2017 Content: Not fo

r publication or distri

bution

Are ESXi patches

cumulative?

How do I patch

custom OEM

images?

With Auto Deploy, is

DHCP a single point

of failure?

Do stateless hosts

keep SSH & SSL

identities after

reboot?

When do I need to

upgrade a host

profile?

#SER1963BE CONFIDENTIAL

bution

Update Sequence for vSphere 6.5 and Compatible Products

KB 2147289Mastering the VMware Tools Lifecycle in

Your vSphere Data Center

[SER1957BE] Wednesday 11:00

bution

End of General Support Is Here for ESXi Releases Prior to 5.5

ESXi 6.5 Recently Extended!

bution

VMware ESXi – Despite the CLI, It’s NOT Linux

6#SER1963BE CONFIDENTIAL

bution

Understanding the ESXi Disk Partitioning Scheme

bootbank

scratch

altbootbank

250 MB

286 MB

bution

Host Updates Are Applied to the Unused Bootbank

bootbank

altbootbank

:~] cat bootbank/boot.cfg

bootstate=0

build=6.0.0-2.37.3825889

updated=10

:~] cat altbootbank/boot.cfg

bootstate=0

build=6.0.0-2.34.3620759

updated=9

bution

VIB Details are Available Through esxcli

bution

Build numbers and versions of VMware ESXi

KB 2143832

bution

Access My.VMware to Download Patch Releases

Only the latest download is required –

ESXi patches are cumulative

bution

Demystifying VMware ESXi Patch Release Contents

• VIB #1

• VIB #2

• VIB #3

• VIB #1

• VIB #2

• VIB #3

ESXi650-201703401-BGCategory: BugfixSeverity: Critical

Patch Release: ESXi650-201703001

Bulletins Image Profiles

• VIB #1• VIB #2• VIB #3

ESXi-6.5.0-20170304001-standard

• VIB #1• VIB #2• VIB #3

• VIB #4• VIB #5• VIB #6

• VIB #7• VIB #8• VIB #9

ESXi650-201703001.zip

Each item above has a corresponding KB article#SER1963BE CONFIDENTIAL

bution

Optimized OEM Custom Images from VMware Partners

ISO or offline bundle from

your favorite server vendor

Optimized drivers and

management agents

From My.VMware or

partner support sites

bution

But how can I patch OEM images?

Create new image with PowerCLI

or GUI Image Builder

Update Manager applies

patches to all images

bution

But how can patches be cumulative with such varying sizes?

bution

Security-only Profiles Without Other Enhancements or Fixes

bution

These “s” Profiles Include Two Variations of Certain VIBs

Same release dates,

Different versions

bution

Select an Update Approach Based on Desired Optimizations

Scalable

Automated

Interactive

Simple

Deploy

Scripts

bution

Update Manager Automates the Patching Process

• VUM downloads ESXi patches via the Internet

• Administrators create and attach patch baselines

• DRS enables rolling updates with zero downtime

bution

Intelligent Integration with vSAN Clusters in vSphere 6.5 U1

VUM Determines Best

vSAN Upgrade

Generates Baseline and

Downloads Software

bution

Update Manager Patches are Bulletins, not Image Profiles

bution

UPGRADE

VUM Can Patch or Upgrade Multiple ESXi Releases

Remediation Supported by VUM 6.5

bution

VUM Architecture Improvements in vSphere 6.5

vCenter Server

6.0 or 6.5

on Windows

Update

Manager

on Windows

VCSA 6.5 with

Integrated VUM

Additional Windows VM for VUM

Extra configuration & DB dependency

Sizing and latency considerations

No inherent backup or failover

Integrated and enabled by default

Zero setup; embedded DB

Scalable and low impact on resources

Leverages VCSA HA and backup

Migration

Support!

bution

increase

Update Manager Scalability Increased in vSphere 6.5

Concurrent Operations 6.0 6.5

ESXi host scan 75 232

ESXi host patch / upgrade 71 232

VMware Tools / VM hw scan 90 200

VMware Tools / VM hw upgrade 75 200

bution

Why Stateless Compute Infrastructure?

Unified Workflow

Install Patch Upgrade

Consistency

Faster deploymentsReduced effort

Centralized ControlImagesConfigurationDiagnostics

Efficiency

bution

Configure Auto Deploy Hosts with Host Profiles

• Use any combination of configuration tools:

PowerCLI, esxcli, graphical interfaces

• Modified elements are part of profile

• Names and values are case-sensitive

Extract settings

from a

configured host

CREATE

Copy from a host

Edit via GUI

UPDATE

bution

Host Profiles are Forward Compatible

VMware ESXi

Host Profile

bution

Upgrade Hosts First, then Update the Host Profile

VMware ESXi

Host Profile

VMware ESXi

Host Profile

bution

Hosts Also Require Unique Configuration Settings

root pass

hostname

bution

Mandatory Customizations Must be Provided for Compliance

root pass

10.197.34.86

255.255.255.0

172.24.10.86

255.255.0.0

**********

hostname

host86.vcritical.com

bution

Provide host

customizations

in CSV file

bution

efficiency and

maintain a

config record!

bution

Unique Identifiers are Properly Handled for Stateless Hosts

SSL Certificates

SSH Keys

bution

Catch a Glimpse of Zero-Touch Cluster Deployments

bution

Side-by-Side Compliance Results

Quickly determine

course of action!

bution

Rolling or Parallel Profile Remediation

Reduces time

monitoring

remediation!

bution

Easily Copy Settings From One Profile to Many

Manage

Multiple Host

Profiles More

Effectively!

bution

If you want uptime, prepare for downtime

Photo: Luis García

Boot storms

Infrastructure

dependencies

Auto Deploy backup

bution

Auto Deploy Reverse Proxy Caching in vSphere 6.5

Improve host boot time &

reduce impact on vCenter Server

bution

Take Regular Backups of Auto Deploy Configuration

New PowerCLI cmdlet in

vSphere 6.5 – exports config,

database, SSL certs, cache,

and more

bution

Stateless Hosts Often Rely on Dynamic IP Addressing

NIC ● MAC Address ● Switch

Single points of failure?

approaches to

improve DHCP

resiliency

bution

Configure Redundant Physical Boot Interfaces and Switches

bution

1) Redundant DHCP Reservations

Associate two MAC addresses

with one IP address

VMkernel uses the boot MAC

bution

2) DHCP Boot & Transition to Static IPs

Use pool of DHCP addresses,

No reservations

Configure Host Profile with

Static IP addresses

bution

3) Dedicated DHCP Boot Network – Operational Traffic on vDS

VLAN dedicated for PXE booting

on-board NICs

Host management interface is

on vDS – DHCP or static

bution

Multiple Approaches to vSphere Host Lifecycle Management

bution

Host Lifecycle Management Takeaways

• VMware ESXi patches are cumulative!

– Patches, upgrades, and fresh installs result in a similar state

• Develop workflows to keep OEM images secure from exploits

• Choose the lifecycle management approach that is best for your data center

– Stateful with Update Manager applies patch bulletins

– Auto Deploy uses complete ESXi image profiles for all operations

• vSphere 6.5 enhancements boost manageability and reliability

– Embedded Update Manager with increased scale

– Bulk host customizations

– Simple reverse proxy setup

– Quick Auto Deploy configuration backup

bution

Additional Resources and Opportunities to Interact

UX Design Studio – ESXi Lifecycle

https://calendy.com/vsphere-lifecycle/eu/

“Meet the Experts”

[MTE4718E] Wednesday 13:15VMworld 2017 Content: N

ot for publicatio

n or distribution

bution

host lifecycle for publication update manager, vmworld 2017€¦ · host lifecycle management...

Documents

patchdroid: third party security patches for android ·...

custom patches

alabama patches

lead seal patches

underwater casing patches

secure system setup coen 250. system administration...

coccidian tales - kanyana wildlife rehabilitation...

ipv6 address management for ipv6 assessment, deployment...

custom air force ocp patches - aviator gear · custom air...

not content: 2018 vmworldlifecycle management • lifecycle...

new managing host and cluster lifecycle · 2020. 10. 7. ·...

patches: summer 2011

pvc military patches

applying patches

patches magazine

activision patches | activision patches for sale

mission patches

network intelligence security advisory · access and host...

patches giasso

mo patches oracle