security support VMware Infrastructure 3

The Why’s and How’s of ESX patching

From the new VMware Security Blog, Nand Mulchandani responds to the article by Ron Oglesby and Dan Pianfetti at about the number of patches that VMware has released for VI3.

Link: VMware Security Blog > ESX patching questions.

Recently there was an article on “Patch Tuesday for VMware”
over at It is an interesting article that raised
some questions that we thought we might be able to shed some light on.
The article was more focused on patching and not security alone, but
since patching has now been so closely associated with security, so
I’ll jump in and provide a response on our security blog.

As the article points out, "patching is a necessary evil" – and that the existence of ESX patches should not come as a shock to anyone. So let’s talk about the sinister plan behind the increase in ESX patches. …

You should read the whole thing. (Seriously. Nand explains it well.) One gee-whiz part for me is with the new Update Manager — and even pre-3.5 with just DRS and VMotion — how the end-user and admin experience for VI patches is very much not like MS Patch Tuesday. The other gee-whiz is the percent of patches that have been going to the Red Hat-derived Service Console, which of course with 3i is now  gone.


0 comments have been added so far

  1. My Question is? Does that mean you have to have purchased VMotion to get the benefits of Update Manager auto managing the patch process using it. So what about those customers who don’t have VMotion, now they will have to take down multiple servers to patch one ESX server.

  2. @Simon: Update Manager will still automanage the patch process for ESX Server even if you don’t have VMotion, but your VMs will be interrupted. Life with VMotion is indeed better and somewhat revolutionary, which is why we want folks to upgrade (and why we don’t think “Quick Migration” equivalents are at all the same). Update Manager will also patch your virtual machines, which doesn’t require VMotion.
    What we’ve also done is split the old Update Releases into lots of patches, but the key is that most of them are optional and independent, so you can pick and choose and keep service interruptions to a minimum. And not to repeat the blog post, but I’d expect 3i and descendants to require fewer patches as well.

Leave a Reply

Your email address will not be published.