The VCF Async Patch tool can be used to patch individual BOM products on vSAN Ready Nodes and VxRail environments. The BOM products that can be individually async patched include:
VCF on vSAN Ready Nodes: VC, NSX, ESXi
VCF on VxRail: VC, NSX, ESXi/VxRail composite bundle
The Async Patch Tool is supported with VMware Cloud Foundation 4.2.1 and later
Future VCF upgrade version: VCF releases that are patched with async patches of BOM products can be upgraded to future VCF releases as stated in https://kb.vmware.com/s/article/88287
Operating System: Supported with Linux (includes Cygwin support) and Windows (includes WSL support) environment
Flowchart
Commands
Remove Older version of the tool and configure TCP keepalives
Modify properties to below $ vim ~/.ssh/config TCPKeepAlive yes ServerAliveInterval 30
Download Async Patch Tool
Online – can download bundles to SDDC manager to connect to depot.vmware.com.
How do I download async patch tool?
user: vcf
Download Tool
1. Log into VMware customer connect and select your current version of VCF 2. Click “Drivers & Tools” 3. Expand VMware Cloud Foundation Tools and click Go To Downloads in the Async Patch Tool row and download the tool
Refer commands below for 4. Extract the tool to SDDC Manager (online) or DMZ machine (offline) which has connectivity to depot.vmware.com 5. Ensure tool has right permissions
How do I install the tool on the SDDC Manager?
User: vcf
$ mkdir /home/vcf/asyncPatchTool
$ cp vcf-async-patch-tool-<version>.tar.gz /home/vcf/asyncPatchTool (Copy the Async Patch Tool file (vcf-async-patch-tool-<version>.tar.gz) that you downloaded in step 1 to the /home/vcf/asyncPatchTool directory)
$ tar -xvf vcf-async-patch-tool-<version>.tar.gz (Navigate to /home/vcf/asyncPatchTool and extract the contents of vcf-async-patch-tool-<version>.tar.gz)
Set the permissions for the asyncPatchTool directory $ cd /home/vcf/ $ chmod -R 755asyncPatchTool $ chown -R vcf:vcf asyncPatchTool
Demo
List Patches
How do I list patches available for async patching in the Async Patch Tool?
--depotUser ${DEPOT_USER} VMware Customer Connect email address --sku ${SKU_TYPE} Supported values VCF, VCF_ON_VXRAIL --${PRODUCT_TYPE} Supported values NSX_T_MANAGER,VCENTER,ESX_HOST --outputDirectory ${OUTPUT_DIRECTORY} Specify a location forthe download; default/root/apToolBundles --proxyServer, --ps Connect to the internet through a proxy server; --proxyServer FQDN:port
Post Input – Enter Y to confirm that you are running the latest version of the Async Patch Tool – Enter Y or N to choose whether or not to participate in the VMware Customer Experience Improvement Program (CEIP) – Enter your VMware Customer Connect (Depot) password
What does it output?
The tool will list a table of async patches and their details to the console in human-readable format:
List Option
Demo
Download Async Patch / Enable an Async Patch / Upload Patch to the SDDC manager
How do I enable async patch on my environment?
The Async Patch Tool downloads the patch and uploads it to the internal LCM repository on the SDDC Manager appliance
--${PRODUCT_TYPE}:${PRODUCT_VERSION} Product and Version of the parch retrieved from the "list patch"command. If the product type is VX_MANAGER, enter your Dell EMC Depot user name and password. (VxRail only) --depotUser ${DEPOT_USER} VMware Customer Connect email address --sddcSSOUser ${SSOuser} SSO user account, forexample, [email protected] --sddcSSHUser ${SDDC_SSH_USER} SDDC SSH account, forexample vcf --pdu ${PARTNER_DEPOT_USER} Dell EMC Depot email address. (VxRail only) --proxyServer, --ps Connect to the internet through a proxy server; --proxyServer FQDN:port --it ${INSTANCE_TYPE} ONLINE/OFFLINE
Post Input – Enter Y to confirm that you are running the latest version of the Async Patch Tool – Enter Y to acknowledge prerequisites- Enter Y or N to choose whether or not to participate in the VMware Customer Experience Improvement Program (CEIP) – Enter the password for the super user (vcf) account – Enter the password for the root user account – Enter the password for the SSO user account- Enter your VMware Customer Connect (Depot) password – Enter Dell EMC Depot user name and password if the product type is VX_MANAGER
Demo
Log in to the SDDC Manager UI and apply the async patch to all workload domains
The patches that were enabled show up in the SDDC Manager. This should be run as a regular upgrade from the SDDC Manager.
Disable all Patches
How do I disable the patches?
After the patches have been applied from the SDDC manager, they need to be disabled using the AP tool
Post Input – Enter Y to confirm that you are running the latest version of the Async Patch Tool – Enter Y or N to choose whether or not to participate in the VMware Customer Experience Improvement Program (CEIP) – Enter the password for the super user (vcf) account – Enter the password for the root user account – Enter the password for the SSO user account
Demo
Enable Future Upgrade/Download Future Bundles/Upload futurebundles to SDDC Manager (Upgrade from VCF 4.x to 4.y)
--${TARGET_VCF_VERSION} Target version of VMware Cloud Foundation --depotUser ${DEPOT_USER} VMware Customer Connect email address --sddcSSOUser ${SDDC_SSO_USER} SSO user account, forexample, [email protected] --sddcSSHUser ${SDDC_SSH_USER} SDDC SSH account, forexample vcf --pdu ${PARTNER_DEPOT_USER} Dell EMC Depot email address. (VxRail only) --proxyServer, --ps Connect to the internet through a proxy server; --proxyServer FQDN:port --${INSTANCE_TYPE} ONLINE/OFFLINE --outputDirectory ${OUTPUT_DIRECTORY} Location of transferred artefacts from DM-Z machine to SDDC-M in caseforoffline customers. This is optional foronline SDDC-M environments. Default output path: /root/apToolBundles Post Input – Enter Y to confirm that you are running the latest version of the Async Patch Tool – Enter Y or N to choose whether or not to participate in the VMware Customer Experience Improvement Program (CEIP) – Read the information and enter Y to acknowledge the pre-requisitesEnter the password for the super user (vcf) account – Enter the password for the root user account – Enter the password for the SSO user account – Enter your VMware Customer Connect (Depot) password – If the product type is VX_MANAGER, enter your Dell EMC Depot user name and password (VxRail only) – Enter Y or N to choose whether or not to download vRealize bundles
The Async Patch Tool determines which bundles are required, downloads the bundles, and uploads them to the internal LCM repository on the SDDC Manager appliance
Demo
Log in to the SDDC Manager UI and Upgrade to a future VCF version
Standalone commands
Enable CEIP
Enables or disables telemetry collection for data relevant to Async Patch Tool operations. This is a one-time operation that will configure the tool for all future operations
$ ./bin/vcf-async-patch-tool –ceip “<Boolean>”
Help
Lists the different types of options supported by the tool
${AP_TOOL_DIR}/bin/vcf-async-patch-tool -h
Inventory Sync
This operation updates the VCF inventory of NSX-T, ESXi and VC with the accurate information of the versions run by the actual products, keeping the record that the VCF instance is up-to-date. This option should be exercised by the customers when the customers have done any out of band upgrades.
–depotUser ${DEPOT_USER} : Required to be specified for online SDDC-M environments
–pdu ${PARTNER_DEPOT_USER} : Required to be specified for online Vxrail SDDC-M environments
–outputDirectory ${OUTPUT_DIRECTORY} : Required to be specified for for offline SDDC-M environments. This should be the location of transferred artefacts from DM-Z machine to SDDC-M. This is optional for online SDDC-M environments. Default output path: /root/apToolBundles
Post-check
This option can be used to verify if the patch enablement has been completed successfully or failed. It internally will ensure that all the requested patches have been uploaded to LCM and are showing as available for upgrade.
–depotUser ${DEPOT_USER}: Required to be specified for online SDDC-M environments
–pdu ${PARTNER_DEPOT_USER}: Required to be specified for for online Vxrail SDDC-M environments
–outputDirectory ${OUTPUT_DIRECTORY}: Required to be specified for for offline SDDC-M environments. This should be the location of transferred artefacts from DM-Z machine to SDDC-M. This is optional arg for online SDDC-M environments
Pre-check
Validate system environment is able to perform enable patch.
–depotUser ${DEPOT_USER}: Required to be specified for online SDDC-M environments
–pdu ${PARTNER_DEPOT_USER}: Required to be specified for for online Vxrail SDDC-M environments
–outputDirectory ${OUTPUT_DIRECTORY}: Required to be specified for for offline SDDC-M environments. This should be the location of transferred artefacts from DM-Z machine to SDDC-M. This is optional arg for online SDDC-M environments
–productType, –ptype <String>: Product type, ESX_HOST,NSX_T_MANAGER, VCENTER listAsyncPatch in order to filter the list by product type.
–proxyServer, –ps <String>: Used when internet connectivity is only available through a proxy server. Provide proxy server addressand port in ‘<FQDN:port>’ format.
To Note:
–depotPassword <String> MyVMware login password. Should be specified in quotes if any special characters are included
–depotUser, –du <String> MyVMware login user name. Should be specified in quotes if any special characters are included
Troubleshooting
Log Location
Log for the Async patch tool is async_patch_tool.log. Tail -f to see log details. The tool prints the INFO or above level logs to the console. The tool prints the current location of the log file when the process is running, copies over the log files to /var/log/vmware/vcf/lcm/tools/asyncpatchtool directory once the tool finishes the execution to allow SoS collection
Disabling All Patches Ends Unexpectedly with Failure Waiting for LCM Service to come up
The script used to clean up bundles in the disable patch workflow intermittently gets stuck and exits out.
In this scenario, there is a chance that LCM was never restarted if the script exited unexpectedly.
If this occurs, ensure the LCM service is up and running correctly and retry AP Tool operation
Enable Future Upgrade on VxRail fails with Exception
partnerBundleMetadata.json filedoes not exist at location /nfs/vmware/vcf/nfs-mount/bundle/depot/local softwareCompatibilitySets.json filedoes not exist at location /nfs/vmware/vcf/nfs-mount/bundle/depot/local
Make sure the partnerBundleMetadata.json and softwareCompatibilitySets.json are correctly placed in /nfs/vmware/vcf/nfs-mount/bundle/depot/local
Make sure a permission of 755 on the above location , for the vcf_lcm user
Invalid Permissions Issue
If the output directory was copied over to the sddc VM without setting proper ownership/permissions, the tool will fail when uploading bundles with error similar to:
2022-04-2714:12:12.147[ERROR] Unexpected error occurred uploading bundle {"status":500,"code":"Internal Server Error","message":"INSUFFICIENT_BUNDLE_DELETE_PERMISSIONS; /nfs/vmware/vcf/nfs-mount/apToolBundles/manifests/bundle-47505.manifest file can not be deleted due to insufficient permissions. vcf_lcm user must have read and write access to /nfs/vmware/vcf/nfs-mount/apToolBundles/manifests directory or upload bundle files from any directory where vcf_lcm user have read and write access."}
Unwanted bundles are enabled on environment and cleanup has to be performed
If the patches enabled using AP tool are required to be cleaned up, please login your SDDC VM as root user and run disable all patches command: Error Message
The tool uses root credentials for performing the operations such as config property update, etc as required for the operations.
If there are multiple attempts with either blank or invalid password, the user account is locked on SDDC VM. Follow the steps below to reset the number of failed logins by the root user.
Reset failed root login attempts
1. Login as root into the vCenter shell. 2. Execute - pam_tally2 --user=root --reset
Invalid Permissions Issue
To fix the error, ensure that the output directory has proper vcf:vcf 755 permissions:
