Technical

Apply the Latest VMware ESXi Security Patches to OEM Custom Images and Visualize the Differences

VMware vSphere customers often rely on custom VMware ESXi images from server OEM partners, such as Cisco, Dell, and HPE, to ensure support for the specific devices that each of those manufacturers include with their hardware.  This arrangement makes initial deployment easier, because all the required storage and I/O drivers are included, but often causes confusion when it comes to keeping up to date with the latest security patches published by VMware.

Since OEM partners typically only update custom images in conjunction with significant ESXi version releases or updates, vSphere admins must patch those custom images if security vulnerabilities arise.  A great resource for quickly reviewing available ESXi patches and build numbers is KB 2143832.  Download applicable patch bundles from My.VMware.

PowerCLI Image Builder enables admins to keep contents of an image profile up to date with the latest patches while still benefiting from the OEM images that contain hardware-specific device drivers. But selecting individual packages, known as VIBs, can be a daunting task for the uninitiated.

Fortunately, there’s a straightforward way to assemble an updated image: In a PowerCLI session, add both the OEM and VMware software depots, clone the OEM profile, and update it with the following command:

This is the simplest way to keep OEM images up to date with the latest VMware ESXi patches.  Don’t forget to export the resulting image profile to a zip or ISO file for subsequent use.

Advanced VMware ESXi Image Profile Creation and Comparison

For those interested in a more full-featured approach to image creation, I’m pleased to share a pair of PowerCLI scripts that provide more automation, as well as detailed information about the contents of your ESXi image profiles. These scripts may be found on the VMware PowerCLI Example Scripts repository, and are not officially supported by GSS.

esxi-image-creator.ps1 is a wrapper around the Image Builder commands that takes care of some of the additional tasks typically required when creating custom images.  Things like mounting depot files, and excluding or including specific VIBs are all handled with ease.  An advanced option gives admins the ability to select the latest VIBs by dates and not just by version number, for scenarios that warrant such fine-grained tuning. And finally, the resulting image can be written to ISO and/or zip image for use in your deployment workflows.

esxi-image-comparator.ps1 shows exactly what the differences are between two or more profiles.  The results can be viewed in the console window, in a GUI, or exported to CSV for safekeeping.  An interactive option and profile name include/exclude filters help whittle the selection down to exactly what you’re looking for.

Now you can confidently see every difference to know exactly what is changing in your ESXi image when applying patches!

Example VMware ESXi Image Management Use Cases

In the following section, I will go over a few sample workflows for image creation and show the resulting comparison output, using the -Grid option.

VMware ESXi 5.5 with Cisco UCS

Update the most recent Cisco custom image for ESXi 5.5 (U3b from December 2015) with the latest VMware patches and updated Cisco async drivers for enic and fnic devices.  Exclude the tools-light VIB to optimize for Auto Deploy.

VMware ESXi 6.0 with Dell PowerEdge

Integrate the most recent Dell ESXi 6.0U3 image, which has already been updated by Dell to include the latest express patch 7a (5224934), with NSX VIBs and remove VMware Tools for use with Auto Deploy.

VMware ESXi 6.5 with HPE Proliant

Generate an image that incorporates the latest HPE Proliant packages from their online repository with the most recent ESXi 6.5 offline bundle from VMware.

Public VMware Image Profile Repository

Do not attempt to use the public VMware image profile repository to create a custom image, as it contains many different versions of image profiles and the resulting Frankenimage will likely be entirely unusable.

However, if you would like to generate a spreadsheet comparing every VMware ESXi release, try this:

Takeaways

  • Custom VMware ESXi images are the best way to get the full benefit of your preferred hardware
  • VMware ESXi security and bugfix patches typically need to be added to OEM custom images manually
  • These new PowerCLI scripts help streamline the workflow and provide confidence through detailed package comparisons