Home > Blogs > VMware vSphere Blog


Understanding ESXi Patches – Finding Patches

Kyle Gleed, Sr. Technical Product Manager, VMware

I recently met with a customer who was confused about patching ESXi hosts.  Not only did she have questions about where to find patches, she was confused about what to do with them once she finally had them.  I know she’s not alone so I figured a refresher on ESXi patching would be helpful.

Of course the easiest way to manage ESXi host patches is with Update Manager, and for most of us this simply entails letting Update Manager automatically downloads patches as they become available and then scheduling a time to remediate the hosts.  However, there are situations where Update Manager may not be allowed access to the Internet in order to automatically download patches.  In addition, there are some who, for whatever reason, either cannot or choose not to use Update Manager.  For these folks patching is still very easy, although a little bit more involved. 

Probably the easiest way to get a list of available patches is from VMware’s online patch portal at http://www.vmware.com/patchmgr/download.portal.  From the patch portal you simply select the architecture (ESX or ESXi), specify your version, and then click the search button.  The screen shot below shows my query to get all the ESXi 5.0 patches.

A1

The search will return a list showing all the available ESXi 5.0 patches.  For each patch you will see the name, size, and download information on the left and a list of all the updates included in the patch on the right.  Note that for each fix there is also a link to a related KB article where you can get more information about a specific fix or update.

A2

To download the patch simply select it by clicking in the checkbox next to the patch name and click the “Download Now” button.  You can download a single patch or multiple patches.   Each patch will be saved as a separate .zip file.  Once you’ve downloaded the patches you have a few options on how to install them.  Again, probably the easiest way to install patches is using Update Manager, but you can also use the ESXCLI command or PowerCLI.  In addition you can also use the Image Builder CLI to add the patch to your installation ISO so that it will automatically be included when you install new ESXi hosts.  Stay tuned as over the next few days I'll be posting the steps for each these options… 

Follow me on twitter @VMwareESXi

26 thoughts on “Understanding ESXi Patches – Finding Patches

  1. Brucek

    Kyle — a question I have that is debated often online related to VMware ESXi patches — are these Cumulative, or does one have to apply ESXi patches sequentially?

  2. Kyle Gleed

    Patches are cumulative. We typically release patch bundles every 3 months. A new patch bulletin will include all the updates/fixes from any earlier bulletins.

  3. Anders O

    Ok, so the latest ESXi build (515841) includes all the iSCSI fixes that were released with build 504890?
    Are there any exceptions to this cumulativeness? What about drivers, for instance? Will all the drivers included in ESXi500-201112001 automatically be included in the next patch/build of ESXi?

  4. Kyle Gleed

    Say Patch01 includes updates for the following VIBs: “esxi-base”, “driver10″ and “driver 44″. And then later Patch02 comes out with updates to “esxi-base”, “driver20″ and “driver 44″.
    P2 is cumulative in that the “esxi-base” and “driver44″ VIBs will include the updates in Patch01. However, it’s important to note that Patch02 not include the “driver 10″ VIB as that module was not updated.
    So yes patches are cumulative, but you need to pay attention to the VIBs included in each patch as we may not include all VIBs with the patch.
    Note, if we update VIB the patch will include any dependent VIBs even if they weren’t updated.

  5. gman

    If these patches are only patches – how come I can download anyone of them and build out an installation of ESXi on baremetal with them?? I don’t see where there is a package available for “just a patch” to install on top of ESXi. Each patch listed when you search ESXi 5 for all patches is a full 295 MB ISO, not just a basic patch. Please explain.

  6. gman

    Scratch that last post, I was looking in the wrong area, the .zip files are just patches and not the full ISO.

  7. Kyle Gleed

    Patches are provided as updated VIB packages. Applying a patch involves simply overwriting/replacing the older VIB package on the host with the newer copy.
    It is possible to download a single VIB file (.vib) and use the “esxcli software vib install” command to update/patch your hosts, However, VMware typically doesn’t just release individual VIBs, With the full ESXi image only being ~300MB it’s just as easy to provide the full set of VIBs with each patch – so when you download a patch, you don’t just get the one or two patched/updated VIBs, but you get all the VIBs. Hence why each time you download a single patch, you get the full ~300MB. With the full download you will get a new updated Image Profile and you can easily patch your host using VUM or “esxcli software profile install”.

  8. Marek Breunda

    How about patching ESXi installed from customized OEM image? Is it safe to install patches directly from VMWare? Is there guaranteed that the patch can’t replace any custom driver for example?

  9. Kyle Gleed

    Point patches may not be cumulative. The VIB Updates are cumulative, but the point patch may not include other updated VIBs from earlier point patches. Check the patch release notes for a list of VIBs updated by the patch. The VIBs in a later patch will include updates from earlier patches. However, the patch itself may not include the same VIBs updated from an earlier patch. i.e. if patch01 updates “esx-base”, patch02 updates “tools”, and patch03 updates “esx-base”. You would need to install patch02 and patch03. The “esx-base” updates in patch01 would be included with patch03, but patch03 would not include the tools update.
    Note that software updates like “Update 1″ or “Update 2″ are roll-up patches that include all the prior point patches. So patching to update 2 it would be cumulative.
    If you patch a host and want to revert back, reboot the host and type “SHIFT+R” at the boot prompt. This will revert back to the prior configuration (before the patch). ESXi runs with two boot banks. If you are running of boot bank 1, patches will get applied to boot bank 2 and the host reconfigured to boot from boot bank 2. If you need to revert back, the SHIFT+R tells the host to boot off boot bank 1, which would have the prior (un-patched) configuration.

  10. SysAdmin-E

    Hi Kyle:
    Someone asked the questions below and it hasn’t been answered. I have the same question also. I just set up an ESXi host using the “HP Custom Image for ESXi 5.0.0 Update 1 Install CD” from VMware and am wondering how that custom image should be updated. Should I wait for an update to that HP Custom Image or can I update using any VMware update? Thank you.

    How about patching ESXi installed from customized OEM image? Is it safe to install patches directly from VMWare? Is there guaranteed that the patch can’t replace any custom driver for example?

    1. Peter Sun

      I installed ESXi 5.0.0U1 on a DL380p Gen8 server using HP custom image. After downloaded ESXi500-201204001.zip from vmware and upgraded it, my network adapters are gone, old network driver is removed!

      Don’t upgrade any patch if you don’t know what part of your system will be removed.

      1. Mark Oinonen

        Same issue:

        installed ESXi 5.0.0U1 on a DL380p Gen8 server using HP custom image. After downloaded ESXi500-201204001.zip from vmware and upgraded it, my network adapters are gone, old network driver is removed!

        I enabled the ESXCLI Shell from console.

        I used the “Shift-R” rollback to get to previous unpatched bootbank. Then I re-applied the VMWare update with UPDATE switch instead of INSTALL from ESXCLI Shell from console (also applied ESXi500-201205001.zip, 6 and 7) and the server is working OK. Question is what may have been skipped using UPDATE?

        1. Kyle GleedKyle Gleed Post author

          When you run “esxcli software profile install …” it installs the image in the depot overwriting the existing image. In your case you have a VIB on your host that provides drivers needed for you NICs. This VIB is not included as part of the 5.0 U1 update (probably came from Dell?). So when you “installed” the update you lost this driver and hence the drivers were gone. After restoring from the alternate bootbank the VIB was restored. Then, when you repeated the install using the UPDATE switch instead of overwriting the image, it updated any VIBs on the host for which an updated version was available in the depot and added any VIBs that were missing, but it did not remove any VIBs.

          “esxcli software profile install“: Installs or applies an image profile from a depot to this host. This command completely replaces the installed image with the image defined by the new image profile, and may result in the loss of installed VIBs. To preserve installed VIBs, use profile update instead.

          “esxcli software profile update“: Updates the host with VIBs from an image profile in a depot. Installed VIBs may be upgraded (or downgraded if –allow-downgrades is specified), but they will not be removed. Any VIBs in the image profile which are not related to any installed VIBs will be added to the host.

  11. Kyle Gleed

    If you are using a custom image from a partner I would recommend you also get your updates from the partner. Custom images provided by partners will include additional VIBs and any updates to these VIBs will need to come from the vendor. To make sure you don’t miss any updates, it’s best to use the images provided by the partner.
    You can patch the custom image using VMware patches. VMware will patch the VIBs they provide, so there shouldn’t be any issues with installing patches provided by VMware to an image provided by a 3rd party. So if VMware releases a critical security fix, you can apply the patch right away w/out having to wait for the partner.

  12. Rob

    Can the search be updated so that it is possible to search for all patches released from a certain date.
    For example if I updated my hosts last month and I go back to the site to look for any new patches I only want to search for patches that have been released in the last month (i.e. since I updated my hosts).

  13. Leon Wang

    Hi,

    I had managed to download the patches network speed for existing server is 100MB full duplex and OS installed on USB thumb driver.

    I had used the cross cable direct connect to network port from my notebook always hit time out if more than 10 second through SFTP software. Anyway the patch file (ZIP) format size should be more than 500 mb and even SFTP software able to extent time out thill 100 second.

    Is there any solution ?

    Regards,

    Wang Chen Yung

  14. BS

    Kyle, regarding using an HP provided image. If one were to apply a critical security patch to that image using esxcli should they use the -update switch or the -install switch? As I understand it -update will only update vibs that existing in the image and are maked as updated within the patch. Is there a chance that a security patch could contain new, necessary vibs? Also, how does VUM handle that distinction?

  15. Thomas

    Hi Kyle,
    1. What BS asked, that my question, too. Would you kindly have an answer for us? Thank you.
    2. Many VIB require after the installation a reboot of the host. If i updated 3 VIB ..005-…007 to the host, is it not enough to boot the host past the third update?

  16. Wilson Huang

    Could I apply multiple patches by release day order before reboot?

    ex: the host is ESXi 5.0 build 702118

    step1. Deploy ESXi500-201206001, ESXi500-201207001, ESXi500-201209001 in sequence without reboot in each deployment?
    step2. Reboot host after deploy ESXi500-201209001 completed.

  17. caribbeanpirate123456

    Hi Kyle,
    Vmware update patch is definitely confusing me also. it seems like partially Cumulative.
    I am responsible for Esxi advisory analysis and version evolution, then I should have very clear idea of those patches relationship or Matrix.
    for instance: if we only patch Esxi410-201011001 and Esxi410201201001 in base version Esxi 4.1.0 build 260247, then which build number it should show up? the higher one?

  18. Beshoy

    does the last recent batch contain all other previous batches ,or I should install all batches,for example if I installed U2 batch ,should I need to install bathes older than it ?
    Thanks in advance

  19. Q

    If I upgrade a Host from a standard vmware supplied 5.1 iso to a HP Customised 5.5 iso, if it doesn’t work, can I:

    1) Roll back to the previous install

    If no;

    2) Can I “upgrade” to the standard vmware iso over the top of the Customised .iso to effectively “reinstall” to the standard 5.5 without losing the config? Hopefully that makes sense.

    Can you go from a Customised iso install and “upgrade” to a standard vmware iso if the version is later than the current one installed? or vice versa?

    Thanks

Comments are closed.