Objective 5.1 - VMware Update Manager Print E-mail
Written by Matthijs van den Berg   
Tuesday, 31 March 2009 13:55

KNOWLEDGE


  • Describe Update Manager capabilities
    The VMware Update Manager (VUM), or today called VMware vCenter Update Manager (VCUM???? ;-) ), is a tool to update host and guest operating systems and applications. According to the VMware website:
    • Automated patching for VMware ESX Server hosts, select online and offline Microsoft Windows and Linux-based virtual machines, as well as for applications from third-party vendors such as Adobe and Mozilla.
    • Automated scanning of servers in the data center for compliance to static or dynamic baselines.
    • Automated remediation for VMware ESX Server and ESX Server 3i hosts, select Microsoft virtual machines and applications.
    • Automated snapshots prior to patching to enable rollback in case of patching failures
    • Secure offline virtual machine patching to reduce the risks associated with non-compliant systems joining the corporate network.
    • Integration with VMware DRS for non-disruptive patching of VMware ESX Server hosts.
More detailed info on VMUM capabilities on can be found here. http://vmware.com/
  • Explain VUM architecture and components
    The Update Manager is a component of VMware vCenter. When you follow the installation wizard of VMware you can install VUM. When you are running the vCenter client you must install a plugin to use the VUM GUI. It is also possible to install the VUM on a separate server. Be ware of the fact that the VUM require relatively much diskspace of the vCenter installation space required.
  • Describe DRS-enabled remediation
    DRS or Dynamic Resource Scheduling is used to move Virtual Machines to other servers to evenly distribute the load these VMs require across all ESX hsots. When patching a ESX host this host must be placed into maintenance mode. In this state there are no Virtual Machines active on this particular server. The Virtual Machines are distributed across the other ESX hosts in the cluster. The host to where the VM is migrated is picked based upon the most resources available. This principle allows ESX server to

SKILLS AND ABILITIES


  • Install and Configure Update Manager
    • VUM Server
      VUM Server is a part of the vCenter installation. When installing vCenter you can choose to leave out or install the Update Manager. Using this principle it is also possible to only install VUM.
      vum_install
      To select a different path change during install:
      vum_select_path
    • VUM Agents
      The VMware Update Manager Guest Agent facilitates Update Manager processes. For both Linux and Windows operating systems, the Guest Agent is installed the first time a remediation is scheduled or when a scan is initiated on a powered-on virtual machine. For best results, ensure that the latest version of the Guest Agent is installed. If the Guest Agent installation does not complete successfully, operations such as scanning and remediation fail. In such a case, manually install the Guest Agent. The Guest Agent installation packages for Windows and Linux guests are in the directory you specified during the Update Manager installation. In that directory, the Guest Agent installation packages are located at \docroot\vci\guestAgent\. For example, if Update Manager is installed in 
      C:\Program Files\VMware\Infrastructure\Update Manager

      the Guest Agent installers are at

      C:\Program Files\VMware\Infrastructure\Update Manager\docroot\vci\guestAgent\.

      The Guest Agent requires no user input, and the installation completes silently. For Windows, start the installer by running the

      VMware-UMGuestAgent.exe

      file. For Linux, install the VMware-VCIGuestAgent-Linux.rpm file by running the command:

      rpm -ivh VMware-VCIGuestAgent-Linux.rpm 

    • VUM Download Server
      The VUM Download server is a separate server that can be installed to download patches on a seperate server if the VUM server itself is not able or allowed to have a connection to the internet.

      There is a treath in the community explaining the use of a seperate download server and how to use the

      vmware-umds

      command.

      Take a look at this community effort explaining vmware-umds here!

    • VI-Client Plug-in
      To be able to manage the VUM and the patching of servers there is a plugin for the vCenter client. This Update manager plugin adds a extra button to manage the update manager.

  • Perform Update Manager tasksVI Client plug-in
    • Establish baselines
      Baselines are used to determine a fixed number of updates or a dynamicly created selection of updates based upon all updates, including the most recent added updates. You can benefit from customized baselines to meet the needs of your specific deployment. Creating additional, customized baselines allows updates to be grouped into logical sets. You administer baselines by using the Update Manager button in the VI Client. This button appears in the VI Client installations that have the Update Manager plug-in installed.
      • Dynamic
        To create a dynamic baseline using the New Baseline wizard
        1. Connect the VI Client to a VirtualCenter Server on which Update Manager is installed and click the Update Manager button.
        2. On the Baselines tab, click New Baseline.
          The New Baseline wizard appears.
        3. Provide a name and a description of the baseline, and select a target. Update Manager does not support baselines that apply to both target types. Baselines must apply to either ESX Server hosts or virtual machines.
        4. Click Next.
        5. Select Dynamic for the type of baseline.
        6. Click Next.
          The Dynamic Baseline Criteria page appears.
        7. Customize the baseline by entering specific criteria to filter the updates.
          • Text contains – Enter text to restrict the updates displayed. Text entered in this field is searched for conformity in all text fields of the available updates.
          • Product – Select operating systems or products for which this baseline includes patches. You can select multiple products or operating systems, but only updates applicable to the product or operating system of the machine being evaluated are scanned.
          • Severity – Select the severity of updates to be included in this baseline.
          • Language – Select which language versions of patches to include.
          • Released Date – Provide Before and After dates to specify a range for the release dates of the updates.
          • Update Vendor – Select one of the listed update vendors.
          • Add or remove specific updates to/from this baseline – Select the check box to add or remove specific updates.
        8. Click Next.
          Depending on the choices you make, one of the following pages appears:
          • The Ready to Complete page, if you just filtered the updates
          • The Exclusions page, if you selected to add or remove specific updates from the baseline.
        9. In the Exclusions page, select individual updates to exclude from your baseline and click the down arrow.
        10. Click Next.
          The Inclusions page appears.
        11. Select individual updates that do not meet the filter criteria set up in Step 7, to include them in the baseline, and click Next.
        12. Review the Ready to Complete page, and click Finish.
      • Fixed
        To create a fixed baseline using the New Baseline Wizard
        1. Connect the VI Client to a VirtualCenter Server on which Update Manager is installed and click the Update Manager button.
        2. On the Baselines tab, click New Baseline.
          The New Baseline wizard appears.
        3. Provide a name and a description for the baseline, and select a target.
          Update Manager does not support baselines that apply to both ESX Server hosts as well as virtual machines. Baselines must apply to either target type.
        4. Click Next.
        5. Select Fixed for the type of baseline.
        6. Click Next.
          The Updates page appears.
        7. Customize the baseline.
          Select individual updates to include or from your baseline and click the down arrow.
          • To find specific updates to choose from, click Filter.
          • In the Updates Filter page, enter search criteria and click Find.
          • Text contains – Enter text to restrict the updates displayed. Text entered in this field is searched for conformity in all text fields of the available updates.
          • Product – Select operating systems or products for which this baseline will include patches. You can select multiple products or operating systems, but only updates applicable to the product or operating system of the machine being evaluated are scanned.
          • Severity – Select the severity of updates to be included in this baseline.
          • Language – Select which language versions of patches to include.
          • Released Date – Provide After and Before dates to specify a range for the release dates of the updates.
          • Update Vendor – Select one of the listed update vendors.

            Select any further updates.
        8. Click Next.
        9. Review the Ready to Complete page and click Finish.
    • Manage and attach baselines
      To attach a baseline
      • Connect the VI Client to a VirtualCenter Server on which Update Manager is installed.
      • Navigate to the virtual infrastructure object to attach the baseline to, click the Update Manager tab, and click the Attach Baseline link in the upper-right corner.
      • Select one or more baselines to be attached and click OK.
    • Schedule and perform scans
      You can get Update Manager to automatically scan virtual machines and ESX Server hosts by using preestablished tasks or you can manually initiate scans, as required by users. To produce compliance information, you can run scans against objects that have baselines attached to them. When you scan an object, the scan is performed against all updates, but compliance information is produced only for the updates included in a baseline attached to the object. To manually initiate a scan:
      • Connect the VI Client to a VirtualCenter Server on which Update Manager is installed.
      • Click Inventory in the navigation bar. For virtual machines, click Virtual Machines and Templates. For ESX Server hosts, click Hosts and Clusters.
      • In the left pane, right-click a container object to be scanned and click Scan for Updates. All child objects of the object on which the scan is initiated are also scanned. The larger the virtual infrastructure and the higher up in the object hierarchy you initiate the scan, the longer the scan takes. If the ESX Server hosts within a container object are disconnected, they are not scanned. Even if all ESX Server hosts are disconnected, when you right-click the container, the Scan for Updates option is available, but actual scanning is never performed.
      • When prompted to confirm that you want to scan all the objects and child objects, click Yes.  You can view the result.
    • To schedule a scan
      • Connect the VI Client to a VirtualCenter Server on which Update Manager is installed, and click Scheduled Tasks.
      • Click New in the toolbar to open the Select a Task to Schedule dialog box.
      • From the drop-down menu, select Scan for Updates and click OK.
      • Select the type of scan to schedule. Click Next.
      • Select the objects to be scanned. Click Next. For all objects selected, all child objects are scanned as well.
      • Configure when the task will run based on the state of the virtual machine or ESX Server. Click Next.
      • Review the summary information for the task to be completed and click Finish.
    • Interpret scan status and compliancy
      Update Manager provides a means to quickly check how machines comply with baselines. You can review compliance either by examining results for a single virtual machine or ESX Server, or by reviewing the results for a grouping of virtual machines or ESX Server hosts. Compliance information is available on the Update Manager tab in the VI Client. For ESX Server hosts, you can view compliance in the Hosts and Clusters view. For virtual machines, you can view compliance in the Virtual Machines and Templates view.

      Supported groupings include virtual infrastructure container objects such as folders, clusters and datacenters.

      Baselines interact with virtual machines in the following ways:
      • If a user does not have permissions to view an object, an object’s contents, or a virtual machine, the results of those scans are not displayed.
      • Compliance with baselines is assessed at the time of viewing. This means a brief pause might occur while information is gathered about virtual machines’ compliance, to ensure that all information is current.
      • Only information about compliance with relevant baselines is provided. For example, if a baseline is not attached to the container in question, compliance is not assessed. Similarly, consider the case in which a container has Windows XP and Windows Vista virtual machines, and baselines for Windows XP and Windows Vista patches are attached to this container. In such a case, the Windows Vista virtual machines are assessed for compliance with Windows Vista baselines, and the results are displayed. The same Windows Vista virtual machines are not assessed for compliance with Windows XP patches, and as a result, the status of their compliance is displayed as not applicable.
      • Compliance status is displayed based on permissions. Users with permission to view a container but not all of the containers’ contents are shown the aggregate compliance of all entities under that container, but the individual counts for compliant, not compliant and unknown entities only appear as the user’s permissions permit. To view the compliance status, user also must have  permissions to view the baseline or software update compliance status for an object in the inventory.
      • When you scan an ESX Server host against a fixed baseline containing only updates obsoleted by newer ones, and the newer updates are already installed on the ESX Server host, the compliance status of the old updates is not applicable. If the newer updates are not installed on the ESX Server, the compliance status of the old updates is not compliant. You can install the non-compliant updates after starting a remediation process.

      When you scan an ESX Server host against a fixed baseline, containing both obsolete and newer updates, the old updates are displayed as not compliant. Only the newer updates are installed after starting a remediation process.
    • Schedule and perform remediation
      Manual ESX Server Remediation
      You can manually remediate ESX Server hosts on a case-by-case basis.To manually initiate a remediation:
      1. Connect the VI Client to a VirtualCenter Server on which Update Manager is installed.
      2. Click Inventory and click Hosts and Clusters.
      3. Click the Update Manager tab.
      4. Right-click the object to be remediated and click Remediate. All child objects of the object on which the remediation is initiated are also remediated. The larger the virtual infrastructure and the further up in the object hierarchy you initiate the remediation, the longer the process takes. If the ESX Server hosts within a container object are disconnected, they are not remediated. Even if all ESX Server hosts are disconnected, when you right-click the container, the Remediate option is available, but actual remediation is not performed.
      5. Select the baselines to apply and click Next.
      6. To exclude individual updates from the remediation process, deselect their check boxes and click Next.
      7. (Optional) Review the list of updates to be excluded, and click Next.
      8. Select the host remediation options, including the time to initiate the remediation actions as well as the remediation failure response options, and click Next.
      9. Review the summary information for the task to be completed, and click Finish.
      You can remediate ESX Server hosts at predetermined times by using scheduled tasks. To schedule ESX Server remediation
      1. Connect the VI Client to a VirtualCenter Server on which Update Manager is installed.
      2. Click the Scheduled Tasks button.
      3. Right-click the Scheduled Task pane and click New Scheduled Task.
      4. Select Remediate, and click OK.
      5. Select ESX Servers, and click Next.
      6. Select the objects to which this remediation are applied, and click Next. All ESX Server hosts under the selected object are remediated as well. The Baselines page appears.
      7. Select the baselines to apply, and click Next.
      8. To exclude individual updates from the remediation process, deselect their check boxes and click Next.
      9. (Optional) Review the list of updates to be excluded, and click Next.
      10. Select the host remediation options, including when the remediation takes place as well as how remediation failures is handled, and click Next.
      11. Review the summary information for the task to be completed, and click Finish.
    • Rollback
      You can rollback a failup server update by reverting to a previous snapshot.
  • Troubleshoot remediation failures
    To gather information about recent events on the Update Manager server for diagnostic purposes, use the Generate Update Manager log bundle functionality that the support script vum-support.wsf provided. To generate a Update Manager log bundle
    • Log in to the VirtualCenter Server on which Update Manager is installed.
    • Choose Start > All Programs > VMware > Generate Update Manager log bundle.
      Log files are generated as a ZIP package, which is stored on the current user’s desktop.

 

TOOLS

 

  • VI client
  • CLI
    • vmware-umds