The Why's and How's of ESX patching
From the new VMware Security Blog, Nand Mulchandani responds to the article by Ron Oglesby and Dan Pianfetti at virtualization.info about the number of patches that VMware has released for VI3.
Link: VMware Security Blog > ESX patching questions.
Recently there was an article on “Patch Tuesday for VMware” over at Virtualization.info. It is an interesting article that raised some questions that we thought we might be able to shed some light on. The article was more focused on patching and not security alone, but since patching has now been so closely associated with security, so I'll jump in and provide a response on our security blog.
As the article points out, "patching is a necessary evil" - and that the existence of ESX patches should not come as a shock to anyone. So let’s talk about the sinister plan behind the increase in ESX patches. ...
You should read the whole thing. (Seriously. Nand explains it well.) One gee-whiz part for me is with the new Update Manager -- and even pre-3.5 with just DRS and VMotion -- how the end-user and admin experience for VI patches is very much not like MS Patch Tuesday. The other gee-whiz is the percent of patches that have been going to the Red Hat-derived Service Console, which of course with 3i is now gone.
Posted by John Troyer on December 13, 2007 in security
, support
, VMware Infrastructure 3
| Permalink |
Thanks..
Posted by: mp3 | December 13, 2007 at 10:51 PM
My Question is? Does that mean you have to have purchased VMotion to get the benefits of Update Manager auto managing the patch process using it. So what about those customers who don't have VMotion, now they will have to take down multiple servers to patch one ESX server.
Posted by: Simon | December 14, 2007 at 06:07 AM
@Simon: Update Manager will still automanage the patch process for ESX Server even if you don't have VMotion, but your VMs will be interrupted. Life with VMotion is indeed better and somewhat revolutionary, which is why we want folks to upgrade (and why we don't think "Quick Migration" equivalents are at all the same). Update Manager will also patch your virtual machines, which doesn't require VMotion.
What we've also done is split the old Update Releases into lots of patches, but the key is that most of them are optional and independent, so you can pick and choose and keep service interruptions to a minimum. And not to repeat the blog post, but I'd expect 3i and descendants to require fewer patches as well.
Posted by: John Troyer | December 14, 2007 at 05:01 PM